As Singapore digitalises and consumers become savvier with regards to personal data protection and privacy rights, companies are now expected to do more to protect their customers’ data. Fair commercial use of personal data is now governed by the Personal Data Protection Act (PDPA). How are startups able to realistically comply with the regulations?
What is PDPA?
The Personal Data Protection Act (PDPA) was rolled out in phases, starting on 2 January 2013. As of June 2020, Singapore companies are required to:
- Appoint a Data Protection Officer (DPO)
- Obtain consent before they can collect, use, or disclose any personal information related to that individual
- Put in place reasonable measures to protect customers’ (and employees’) personal data
- Respect the Do Not Call (DNC) Registry
- Stop collecting NRICs, unless there is a legitimate need.
Regulations in the PDPA are enforced by the Personal Data Protection Commission (PDPC), which is managed by the Ministry of Communications and Information.
PDPA for Startups in Singapore
From an operations standpoint, basic compliance with the PDPA involves:
- Do Not Call (DNC) Registry
- Consent for the collection, use, and/or disclosure of personal information
- General data protection provisions
- Verifying adherence to PDPA requirements
Do Not Call (DNC) Registry
If you do not have consent to contact customers and prospects, you will need to check the DNC Registry before you reach out to them. To do this, go to the DNC website and apply for a DNC checking account. It costs S$30 for businesses based in Singapore. After your account is approved, all you have to do is submit the list(s) of telephone numbers you plan on contacting.
Every year, businesses are entitled to a limited number of free searches, but you can top up for additional searches at one credit each. You can find the most up-to-date fees for credits by checking out the User Guide for Organizations on the DNC Registry homepage.
You have 30 days to contact prospects, after receiving the green light from the DNC Registry for each query. After 30 days, you will have to check with the Registry again to get permission to market to the same persons. Therefore, you should contact the prospects quickly and avoid making large queries that your business cannot fully utilise.
To reduce this overhead, consider email marketing instead, since email is not included within the scope of the DNC Registry. Same goes for physical mail. That said, even though email is not covered by the DNC Registry, it is a good practice to include contact information in marketing emails and provide the option to unsubscribe from your mailing lists.
Consent for the collection, use, and/or disclosure of personal information
If your company has a website – you probably do – your contact form should include either a checkbox or a disclaimer to indicate deemed consent and how the personal data will be used. If you’re using marketing and analytics tools like Google Analytics, Facebook Pixel, and more, a banner should be set-up for the site visitor to accept cookies. These are further measures that must be implemented, so do consult one of our experts for additional guidance and implementation methods.
General data protection provisions
All businesses must designate a data protection officer (DPO) and make the contact details of this individual available to the public. The Singapore government has set out guidelines for DPOs here.
Larger companies may have a data controller who decides how data will be used within the organisation. This function is usually fulfilled by the IT department, but can be jointly managed by the Compliance and/or Marketing departments. You should have a personal data inventory map that is specific to your company’s requirements. Encryption should also be applied to emails and stored personal data, to fully protect customer data.
Verifying adherence to PDPA requirements
Data protection is a relatively new aspect of corporate compliance in Singapore, and the requirements are likely to change over time. Thus, your company’s compliance status needs to be evaluated on an ongoing basis. If your company uses our monitoring and support services, we will conduct regular compliance audits on your behalf and alert you to critical regulatory changes. Your PDPA compliance will be covered during the audit.
Enforcement and Penalties
The PDPC is allowed to take the following measures to ensure compliance:
- Enter business premises to access information related to an investigation
- Compel a business to stop collecting, using, and/or disclosing personal data that contravenes the PDPA
- Destroy personal data collected by a business in violation of the PDPA.
- Impose a fine which is defined by the Commission at its sole discretion (It can reach a maximum of S$ 1 million, or S$10,000 for DNC registry violations.)
For the average startup in Singapore, these penalties for non-compliance can be debilitating. On the flipside, the cost of implementing data protection measures is quite affordable. Especially if you are advised by an external regulatory compliance service.