PDPA Made Easy for Small and Medium Enterprises

Published by Shivani Kumar on October 29, 2020

You’re a part of an SME in Singapore and PDPA has been knocking at your business’s door for a quite long time now, but you’re still having a hard time understanding and adjusting to its rules. Is this scenario familiar to you?

If so, welcome to our blog post, PDPA Made Easy for Small and Medium Enterprises! We’ve built this guide to demystify how PDPA affects Small and Medium Businesses, and help you understand what the regulation entails, its importance in the compliance and cybersecurity ecosystem, and steps to become compliant with PDPA. 

To facilitate your learning even more, we’ve divided this guide into the following sections:

PDPA Overview

Putting it simple: the Personal Data Protection Act, 2012 (PDPA) provides a framework for companies to follow for personal data protection. It comprises various rules governing the collection, use, disclosure and care of personal data. 

PDPA takes into account an individual’s right to data protection and an organization’s commercial right to collect, use or disclose personal data for a reasonable purpose. Due to an increase in commercial activities of the organizations, many individuals are concerned about the way in which their personal data is being used. Therefore, PDPA was enacted to balance the interests of an individual with that organization. By regulating the flow of personal data among organizations, the PDPA also has the important mission to maintain Singapore’s position as a trusted, world-class hub for businesses.  

PDPR Blog Post (2)

PDPA imposes nine obligations on an organization, which are: consent; purpose; notification; access and correction; openness; protection ; accuracy; retention; and transfer.

PDPA is administered and enforced by the Personal Data Protection Commission (PDPC). The PDPC represents the Singapore Government and it serves as the main authority dealing with matters related to personal data protection. This governing body is entrusted with the task of formulating and implementing policies related to protection of personal data. Their responsibilities include issuing policies, regulations and advisory guidelines to direct organizations and help them comply with the PDPA. They also act as an enforcement authority by handling individual complaints against an organization and imposing penalties on defaulters.

How does PDPA affect my Small or Medium Business?

PDPA applies to all organizations dealing with personal data stored in electronic and non-electronic forms. That being said, as SMEs deal with not only with its customer’s data, but also employees’ and other third party data, it’s essential that these businesses comply with PDPA. 

Many SMEs are still uncertain about the applicability of certain PDPA rules to their businesses. They seek guidance in understanding its rules as the ambiguity is hindering the process of compliance with PDPA.

To clarify these ambiguities, the Government of Singapore has taken steps to help SMEs understand PDPA compliance. For example, the PDPA Legal Advice Scheme (Scheme) was developed by the Law Society of Singapore in consultation with the Personal Data Protection Commission (PDPC), and it was created to assist SMEs to comply with PDPA checklist for organizations before one-hour consultation with an assigned lawyer, for a fee of S$500. During the consultation, SMEs are provided with advice on whether they are in compliance with the PDPA provisions, and the follow-up actions to adopt if there are gaps. 

One of the major gaps in PDPA compliance is related to inadequate knowledge of the full extent and scope of the organizations’ data collection. In many cases, organizations obtain prior consent for the collection and use of an individual’s personal data, however, many fail to implement an opt-in and opt-out system for customers.

During October 2019 the PDPC added a new chapter (Chapter 8) on cloud services in their advisory guidelines on PDPA. This update affected many SMEs as most of them deal with cloud computing. For example, the crux of Chapter 8 is that organizations engaging cloud service providers must comply with the PDPA. If an overseas data transfer is required, organizations must also ensure that these destinations have strong data privacy laws, similar to PDPA. In order to reduce the risk of non-compliance, businesses need to assess themselves according to PDPA and the relevant local laws of the country where the cloud service provider is located. Many SMEs struggle to assess their obligations not only under PDPA but also under the cross border regulations on data protection. 

One must also note that, in order to help out SMEs, PDPC has taken up an initiative to train their Data Protection Officers (DPOs). To support the training of DPOs, PDPC is working with the Workforce Development Agency (WDA) to enhance its two-day Business Management Workforce Skills Qualification (WSQ) PDPA course. PDPC is also working with SPRING Singapore to help SMEs tap on the SPRING Capability Development Grant to improve their data and business risk management capabilities. This will help companies to reduce around 70 percent of qualifying costs such as consultancy and training, assessments, etc. To promote the sharing of best practices, PDPC has issued new guides offering practical advice on building websites and IT vendor management, as well as sample contractual clauses that can be included in the agreements with vendors. 

Another PDPC guide educates organizations on ways to dispose of physical media such as paper which contain personal data. PDPC has also updated the existing guide on securing personal data in electronic medium to include new chapters on cloud computing, IT outsourcing and security patching, and revised several advisory guidelines to provide further clarity on access requests and withdrawal of consent. Yet, many SMEs still struggle to comply with the policies because of increased paperwork and lack of knowledge.

PDPA rules in dealing with internal and external data

An organization deals with different types of personal data. It may include customer, employee or any other third party data which may be gathered through the use of cookies on an organization’s website. 

SMEs must take necessary precautions while dealing with the personal data depending upon its nature. For instance, the organization (as an employer) must take reasonable steps while dealing with their employee’s personal data by having an internal data management system. In the case of Re Executive Coach International Pte Ltd  [2017] SGPDPC 3, a director of an organization disclosed sensitive personal data regarding an employee on a whatsapp group chat with other employees. The PDPC held the organization liable for breach of PDPA. Therefore, an organization must take adequate measures to train its employees. 

PDPC puts a lot of emphasis on an organization’s responsibility while handling customer data. In the case of In Re SLF Green Maid Agency[2018] SGPDPC 27, an organization’s staff, while interacting with prospective customers, reused scrap and discarded paper containing the personal data of individuals including photocopies of their national registration identity cards, foreign identity numbers, passport numbers and expiry dates, and signatures. PDPC ruled that the organization breached PDPA. This created a lot of reputational damage to the organization. 

The above examples show that the organization must provide training on PDPA to its staff in order to avoid financial and reputational damages.

Main differences between PDPA and other regulations like GDPR and CCPA

Due to an increase in globalization and cross border data transfer, many countries around the world are focusing on protecting the personal data of their citizens. PDPA was also made with an objective to protect personal data of Singaporean PRs citizens. Similarly, the European Union (EU) formulated the General Data Protection Regulations (GDPR) to protect personal data of their citizens. Also, the government of California issued California Consumer Privacy Act (CCPA) in order to protect customer’s personal data. The SMEs must understand the differences between the aforementioned regulations in order to find out the applicability and compliance requirement under each regulation. The main differences are as follows:

  • Applicability - GDPR is applicable to data controllers/processors who process personal data operating in the EU, excluding government agencies. PDPA is applicable to organizations and data intermediaries who process personal data operating in Singapore, excluding government agencies, employees acting in the course of employment, and individuals acting in personal capacity. CCPA is applicable to Businesses or for-profit entities in California that process personal data excluding public agencies, NGOs, and companies governed by other laws. One must note that GDPR is human rights centric whereas CCPA and PDPA are very commercial in nature. 
  • Data Protection Rules - GDPR states that the data controller, while processing data, must follow fair and lawful processing, purpose limitation, proportionality, accuracy, storage limitation, integrity and confidentiality and accountability. PDPA provides nine obligations i.e. consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation and openness. CCPA has a principle based approach wherein it creates an obligation of fairness and accountability, transparency, purpose specification, and data minimization. 
  • Accountability - GDPR follows a principle of accountability. It states that the controller shall be responsible for and be able to demonstrate compliance with GDPR principles. PDPA follows the principle of reasonableness by mandating an organization to consider what a reasonable person would consider appropriate in the circumstances. CCPA follows the principle of non-discrimination i.e. Prohibition for a business from discriminating against a consumer because the consumer exercised any of the consumer’s rights under CCPA.
  • Consent - GDPR says that the consent must be freely given and it must be specific. It must not be a pre-condition for provision of service. PDPA provides for expressed or deemed consent and the notification for the purpose must be provided. CCPA says that businesses are allowed to process and sell the personal information of all consumers who make an online purchase or sign up.
  • Purpose - GDPR says that the data must be  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. PDPA states that an organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances; and that the individual has been informed of. CCPA states that businesses can collect personal information for one specific purpose, except if prior notice is given to the consumer. Businesses are prohibited from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including for a commercial purpose.
  • Privacy Policy - Under the GDPR, organisations must provide extensive information about processing of personal data and the individuals’ rights; recipients of the personal data; identity and contact details of the controller and the data protection officer; right to lodge a complaint with a DPA; retention period for the data; information regarding the source of the data; existence of automated decision-making. Under PDPA, an organisation must formulate and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act (including training); provide on request about the above policies and practices; develop a process to receive and respond to complaints that may arise with respect to the application of this Act. Under CCPA, The Privacy Notice must include: a description of the rights (opt-out, disclosure, deletion) and how to exercise these rights;a list of the categories of personal information that the business collects, sells and discloses, and to update this list every 12 months; and a toll-free phone number or, if a business operates solely online, a link on the website through which the consumer can exercise their rights.
  • Data Protection Officer - It is mandatory to appoint DPO under GDPR and PDPA. However, CCPA does not have that requirement.  
  • Transfer - All three regulations mandate obtaining consent by entering into a contract governing the protection of the personal data in case of data transfer.
  • Data Breach Notification - It is mandatory to provide a data breach notification under GDPR and CCPA. However, the breach notification obligation is still under review in case of PDPA. 

What are the critical steps my business should implement to be compliant with PDPA? 

An organization must comply with the 10 steps provided under session 7 to ensure PDPA compliance. These 10 steps emphasize on having efficient communication between the organization, employees and customers. PDPA makes it mandatory for every organization to have a privacy policy and internal data security policy. It states that an organization shall create and implement policies and procedures that are necessary for them to meet its obligations under PDPA. The organization must provide information on request about their policies and practices. They must also have guidelines to receive and respond to complaints that may arise with respect to the application of PDPA.

Every organization must provide a privacy policy and must take, either explicit or deemed, consent prior to collecting its customer’s data. A privacy policy must include:

  • The nature and type of data collected;
  • Purpose of data collection;
  • How is the data used, collected and disclosed;
  • Procedure for withdrawal of consent;
  • Access to and correction of personal data;
  • Measures taken to protect personal data;
  • Accuracy of personal data;
  • Retention of personal data;
  • Deletion of personal data;
  • Transfer of personal data;
  • Details regarding data protection officer in case the customer wants to make a complaint;
  • Effect of notice and change to notice;

An organization must communicate their internal data protection policies to its employees. It must also provide training to any non-technical employee in order to ensure that the employees do not breach PDPA obligations. The organization must inform all employees of data protection policies and practices and make sure they know and adhere to processes for protecting personal data. It must specify an employee’s roles in safeguarding personal data and ensuring that the organisation complies with the PDPA with the help of internal data security policies. The organization must use posters, email and other communication tools to educate employees on the importance of personal data protection.

One may also note that PDPA provides for a Data Protection Management Program (DPMP). Not only MNCs or listed companies but also many SMEs are directed to implement a DPMP. A DPMP is a systematic framework to help organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines roles and responsibilities of the people in the organisation in relation to personal data protection (please refer to para 1.1 of the Guide to Develop a DPMP).

PDPR Blog Post (1)

The PDPA Checklist Explained

In order to make the compliance obligations more reader friendly, the PDPC has issued a 10 step PDPA Checklist to make sure that the companies are compliant with the data protection obligations. These 10 steps are as follows:

  1. Appoint A Data Protection Officer - All organisations, including sole proprietors, non-profit organizations and SMEs must appoint at least one person as the Data Protection Officer.
  2. Notify Purpose(s) And Seek Consent - The organization must notify the purpose of the collection of data and seek consent of the individuals prior to collecting their data. The organization must stop collecting data in case the individual withdraws his/her consent. 
  3. Respond When Individuals Ask About Their Personal Data - Upon the customer’s request, an organization must provide information on what personal information has been collected and how it has been used. 
  4. Allow correction of personal data - An organization must correct an error or omission in personal data when an individual makes a  request, unless an exception applies.  
  5. Secure personal data held by the organization - An organization must take appropriate steps such as formulation of internal data security policy and employee training. 
  6. Dispose of personal data that is no longer needed - An organization must stop holding on to personal data when they no longer have any business or legal use for it. 
  7. Ensure Protection Of Personal Data When Transferring Overseas - If an organisation intends to transfer personal data overseas, they must take steps to ensure that the data protected is in compliance with the PDPA while the personal data is still in your possession or control. 
  8. Closely Manage Service Providers That Handle Personal Data - If an organization engages a service provider to process personal data, they may be held responsible if their service provider contravenes the PDPA while providing the service to them. When entering into a service agreement with the service provider, the organization must ensure there are clauses that require the service provider to take sufficient measures to ensure compliance with PDPA requirements.
  9. Check The Do Not Call Registry - If an organization conducts telemarketing to subscribers or users of Singapore telephone numbers, it will need to submit the telephone numbers on its telemarketing list for checks against the Do Not Call (DNC) Registry, unless the subscriber or user has given his/her clear and unambiguous consent to receive such messages.
  10. Communicate Data Protection Policies, Practices And Processes - The data protection and security policy must be communicated to the employees and customers. 

The Accountability Approach When Dealing with PDPA

Presently, organizations operate in a well-connected digital economy while dealing with a burgeoning amount of data. In such circumstances, a checkbox compliance approach is not sufficient to keep pace with the developments. Therefore, the organizations must shift to an accountability approach to manage personal data. 

An accountable organization should be able to set up a proper management system to protect personal data. This includes adapting legal requirements into policies and practices, utilising monitoring mechanisms and controls to ensure that policies are effectively implemented and awareness programmes are conducted.  

Who In My Company is Responsible for Creating and Managing Policies?

A competent Data Protection Officer is the key to prevent non-compliance of PDPA. Although the DPO is responsible for ensuring compliance, many organisations have a team consisting of senior management and personnel from other departments to assist in personal data related matters. An organisation shall make available to the public the business contact information of the DPO. However, this shall not free the organization of its obligations. DPO designated by an organisation should be sufficiently skilled and knowledgeable. Organizations should ensure that individuals appointed as a DPO are trained and certified.

In order to have a good management system, an organization must: (i) Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives, (ii) endorse a DPMP, (iii) establish a risk management framework and reporting mechanisms, and (iv) Create and communicate a data security policy which specifies the organisation’s approach to handling personal data.

The PDPC mandates an organization to communicate their personal data protection policies to both internal stakeholders (e.g. staff), and external parties (e.g. customers). Having dedicated internal policies on specific areas will also provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work.

The cost of non-compliance with PDPA

The penalty for personal data breach by an organization is provided under Section 29(1) of PDPA. It states that PDPC may, upon satisfaction that an organization is non-compliant with the PDPA provisions, give the organization such directions as the PDPC thinks fit depending on the circumstances of the case. PDPC may, along with the penalty, also give a non-compliant organisation the following directions:

  • to stop collecting, using or disclosing personal data in contravention of the PDPA;
  • to destroy personal data collected in contravention of the PDPA;
  • to comply with any direction of the PDPC under section 28(2) of the PDPA;
  • to pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit. A sanction imposed by PDPC may go up to S$1 Million, depending on the gravity of the data breach;

The PDPC also lists out certain aggravating factors which may lead to an increase in penalty. These factors are as follows:

  • the organisation failed to settle the matter with the aggrieved in an effective manner;
  • intentional, repeated and/or ongoing breaches of PDPA by an organisation. For example, the organisation was aware, or ought reasonably to have known, of the risk of a breach, or breach of the PDPA but continued with its operations without taking measures to minimise the risk or remedy the breach;
  • obstructing the PDPC during the course of investigations;
  • failing to comply with a previous warning or direction from the PDPC; and
  • the organisation is in the business of handling personal data (such as medical or financial data), but failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of that personal data;

Calculations done by The Business Times based on decisions published since April 2016 on the PDPC website showed that the amount of penalties imposed totalled S$2.12 million over this period.

Many organizations have suffered huge penalties due to non-compliance as seen in the case of Orchard Turn Developments where the PDPC imposed a fine of S$15,000/- on the organization for not making reasonable security arrangements to protect the personal data of its customers, stored on its server.

Organizations have also faced problems of non-compliance due to lack of management  training. For example, the PDPC issued a warning to an SME as they did not train their employee to protect personal data in the Hazel Florist Case. The employee used a paper containing personal data of customers as a wrapping paper to wrap gifts. Similarly, in Singapore Health Services Pte. Ltd. & Ors.[2019] SGPDPC 3, PDPC imposed a fine of S$ 1,000,000/-  on the organization because the organization did not have a proper data management policy and it did not provide proper training to its employees to handle sensitive personal data. As a result, 1.5 million patients’ data was breached due to lapse in the cybersecurity system. 

Once a policy compliance program is set, how to ensure my employees are aligned with it?

It takes time and team dedication to build a PDPA compliance program. Your assigned Data Protection Officer will be the one responsible for dealing with the full check-list of requirements from PDPA, but it only takes one employee misstep to fall non-compliant with its regulations.

In order to drive awareness and proper training to your workforce to handle both internal and external personal data, you should look for a smart solution to help you drive a meaningful and long-lasting behavior change within your organization.

Right-Hand’s Compliance Readiness solution contains a Machine Learning engine that automates and customises the ability for compliance teams to develop, store, disseminate, increase awareness and drive behaviour change for corporate policies. Combined with Training Readiness’s customized micro-learning approach, this set of solutions will help your DPO save time and resources when dealing with the PDPA regulations.

PDPA Compliance Readiness Demo

DISCLAIMER:

The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current, and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.