You’re a part of an SME in Singapore and PDPA has been knocking at your business’s door for a quite long time now, but you’re still having a hard time understanding and adjusting to its rules. Is this scenario familiar to you?
If so, welcome to our blog post, PDPA Made Easy for Small and Medium Enterprises! We’ve built this guide to demystify how PDPA affects Small and Medium Businesses, and help you understand what the regulation entails, its importance in the compliance and cybersecurity ecosystem, and steps to become compliant with PDPA.
To facilitate your learning even more, we’ve divided this guide into the following sections:
Putting it simple: the Personal Data Protection Act, 2012 (PDPA) provides a framework for companies to follow for personal data protection. It comprises various rules governing the collection, use, disclosure and care of personal data.
PDPA takes into account an individual’s right to data protection and an organization’s commercial right to collect, use or disclose personal data for a reasonable purpose. Due to an increase in commercial activities of the organizations, many individuals are concerned about the way in which their personal data is being used. Therefore, PDPA was enacted to balance the interests of an individual with that organization. By regulating the flow of personal data among organizations, the PDPA also has the important mission to maintain Singapore’s position as a trusted, world-class hub for businesses.
PDPA imposes nine obligations on an organization, which are: consent; purpose; notification; access and correction; openness; protection ; accuracy; retention; and transfer.
PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government and it serves as the main authority dealing with matters related to personal data protection. This governing body is entrusted with the task of formulating and implementing policies related to protection of personal data. Their responsibilities include issuing policies, regulations and advisory guidelines to direct organizations and help them comply with the PDPA. They also act as an enforcement authority by handling individual complaints against an organization and imposing penalties on defaulters.
PDPA applies to all organizations dealing with personal data stored in electronic and non-electronic forms. That being said, as SMEs deal with not only with its customer’s data, but also employees’ and other third party data, it’s essential that these businesses comply with PDPA.
Many SMEs are still uncertain about the applicability of certain PDPA rules to their businesses. They seek guidance in understanding its rules as the ambiguity is hindering the process of compliance with PDPA.
To clarify these ambiguities, the Government of Singapore has taken steps to help SMEs understand PDPA compliance. For example, the PDPA Legal Advice Scheme (Scheme) was developed by the Law Society of Singapore in consultation with the Personal Data Protection Commission (PDPC), and it was created to assist SMEs to comply with PDPA checklist for organizations before one-hour consultation with an assigned lawyer, for a fee of S$500. During the consultation, SMEs are provided with advice on whether they are in compliance with the PDPA provisions, and the follow-up actions to adopt if there are gaps.
One of the major gaps in PDPA compliance is related to inadequate knowledge of the full extent and scope of the organizations’ data collection. In many cases, organizations obtain prior consent for the collection and use of an individual’s personal data, however, many fail to implement an opt-in and opt-out system for customers.
During October 2019 the PDPC added a new chapter (Chapter 8) on cloud services in their advisory guidelines on PDPA. This update affected many SMEs as most of them deal with cloud computing. For example, the crux of Chapter 8 is that organizations engaging cloud service providers must comply with the PDPA. If an overseas data transfer is required, organizations must also ensure that these destinations have strong data privacy laws, similar to PDPA. In order to reduce the risk of non-compliance, businesses need to assess themselves according to PDPA and the relevant local laws of the country where the cloud service provider is located. Many SMEs struggle to assess their obligations not only under PDPA but also under the cross border regulations on data protection.
One must also note that, in order to help out SMEs, PDPC has taken up an initiative to train their Data Protection Officers (DPOs). To support the training of DPOs, PDPC is working with the Workforce Development Agency (WDA) to enhance its two-day Business Management Workforce Skills Qualification (WSQ) PDPA course. PDPC is also working with SPRING Singapore to help SMEs tap on the SPRING Capability Development Grant to improve their data and business risk management capabilities. This will help companies to reduce around 70 percent of qualifying costs such as consultancy and training, assessments, etc. To promote the sharing of best practices, PDPC has issued new guides offering practical advice on building websites and IT vendor management, as well as sample contractual clauses that can be included in the agreements with vendors.
Another PDPC guide educates organizations on ways to dispose of physical media such as paper which contain personal data. PDPC has also updated the existing guide on securing personal data in electronic medium to include new chapters on cloud computing, IT outsourcing and security patching, and revised several advisory guidelines to provide further clarity on access requests and withdrawal of consent. Yet, many SMEs still struggle to comply with the policies because of increased paperwork and lack of knowledge.
SMEs must take necessary precautions while dealing with the personal data depending upon its nature. For instance, the organization (as an employer) must take reasonable steps while dealing with their employee’s personal data by having an internal data management system. In the case of Re Executive Coach International Pte Ltd  SGPDPC 3, a director of an organization disclosed sensitive personal data regarding an employee on a whatsapp group chat with other employees. The PDPC held the organization liable for breach of PDPA. Therefore, an organization must take adequate measures to train its employees.
PDPC puts a lot of emphasis on an organization’s responsibility while handling customer data. In the case of In Re SLF Green Maid Agency SGPDPC 27, an organization’s staff, while interacting with prospective customers, reused scrap and discarded paper containing the personal data of individuals including photocopies of their national registration identity cards, foreign identity numbers, passport numbers and expiry dates, and signatures. PDPC ruled that the organization breached PDPA. This created a lot of reputational damage to the organization.
The above examples show that the organization must provide training on PDPA to its staff in order to avoid financial and reputational damages.
Due to an increase in globalization and cross border data transfer, many countries around the world are focusing on protecting the personal data of their citizens. PDPA was also made with an objective to protect personal data of Singaporean PRs citizens. Similarly, the European Union (EU) formulated the General Data Protection Regulations (GDPR) to protect personal data of their citizens. Also, the government of California issued California Consumer Privacy Act (CCPA) in order to protect customer’s personal data. The SMEs must understand the differences between the aforementioned regulations in order to find out the applicability and compliance requirement under each regulation. The main differences are as follows:
An organization must communicate their internal data protection policies to its employees. It must also provide training to any non-technical employee in order to ensure that the employees do not breach PDPA obligations. The organization must inform all employees of data protection policies and practices and make sure they know and adhere to processes for protecting personal data. It must specify an employee’s roles in safeguarding personal data and ensuring that the organisation complies with the PDPA with the help of internal data security policies. The organization must use posters, email and other communication tools to educate employees on the importance of personal data protection.
One may also note that PDPA provides for a Data Protection Management Program (DPMP). Not only MNCs or listed companies but also many SMEs are directed to implement a DPMP. A DPMP is a systematic framework to help organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines roles and responsibilities of the people in the organisation in relation to personal data protection (please refer to para 1.1 of the Guide to Develop a DPMP).
In order to make the compliance obligations more reader friendly, the PDPC has issued a 10 step PDPA Checklist to make sure that the companies are compliant with the data protection obligations. These 10 steps are as follows:
Presently, organizations operate in a well-connected digital economy while dealing with a burgeoning amount of data. In such circumstances, a checkbox compliance approach is not sufficient to keep pace with the developments. Therefore, the organizations must shift to an accountability approach to manage personal data.
An accountable organization should be able to set up a proper management system to protect personal data. This includes adapting legal requirements into policies and practices, utilising monitoring mechanisms and controls to ensure that policies are effectively implemented and awareness programmes are conducted.
A competent Data Protection Officer is the key to prevent non-compliance of PDPA. Although the DPO is responsible for ensuring compliance, many organisations have a team consisting of senior management and personnel from other departments to assist in personal data related matters. An organisation shall make available to the public the business contact information of the DPO. However, this shall not free the organization of its obligations. DPO designated by an organisation should be sufficiently skilled and knowledgeable. Organizations should ensure that individuals appointed as a DPO are trained and certified.
In order to have a good management system, an organization must: (i) Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives, (ii) endorse a DPMP, (iii) establish a risk management framework and reporting mechanisms, and (iv) Create and communicate a data security policy which specifies the organisation’s approach to handling personal data.
The PDPC mandates an organization to communicate their personal data protection policies to both internal stakeholders (e.g. staff), and external parties (e.g. customers). Having dedicated internal policies on specific areas will also provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work.
The penalty for personal data breach by an organization is provided under Section 29(1) of PDPA. It states that PDPC may, upon satisfaction that an organization is non-compliant with the PDPA provisions, give the organization such directions as the PDPC thinks fit depending on the circumstances of the case. PDPC may, along with the penalty, also give a non-compliant organisation the following directions:
The PDPC also lists out certain aggravating factors which may lead to an increase in penalty. These factors are as follows:
Calculations done by The Business Times based on decisions published since April 2016 on the PDPC website showed that the amount of penalties imposed totalled S$2.12 million over this period.
Many organizations have suffered huge penalties due to non-compliance as seen in the case of Orchard Turn Developments where the PDPC imposed a fine of S$15,000/- on the organization for not making reasonable security arrangements to protect the personal data of its customers, stored on its server.
Organizations have also faced problems of non-compliance due to lack of management training. For example, the PDPC issued a warning to an SME as they did not train their employee to protect personal data in the Hazel Florist Case. The employee used a paper containing personal data of customers as a wrapping paper to wrap gifts. Similarly, in Singapore Health Services Pte. Ltd. & Ors. SGPDPC 3, PDPC imposed a fine of S$ 1,000,000/- on the organization because the organization did not have a proper data management policy and it did not provide proper training to its employees to handle sensitive personal data. As a result, 1.5 million patients’ data was breached due to lapse in the cybersecurity system.
It takes time and team dedication to build a PDPA compliance program. Your assigned Data Protection Officer will be the one responsible for dealing with the full check-list of requirements from PDPA, but it only takes one employee misstep to fall non-compliant with its regulations.
In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive a meaningful and long-lasting behavior change within your organization.
Right-Hand’s Compliance Readiness solution contains a Machine Learning engine that automates and customises the ability for compliance teams to develop, store, disseminate, increase awareness and drive behaviour change for corporate policies. Combined with Training Readiness’s customized micro-learning approach, this set of solutions will help your DPO save time and resources when dealing with the PDPA regulations.
The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current, and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.