Search Engine Optimization

The Complete Guide to PDPA, DPO and Your Obligations

Praise Sim, Copywriter, GENIA

24 August 2020

What is Data Protection? (PDPA Meaning)

 

Data protection details

Data protection? You want it as a consumer but as a business owner, you probably wouldn’t think twice about the data protection you offer to your customers. 

And before you click away thinking that data protection doesn’t apply to your company, think again!

Data protection applies to every business! And the consequences of not taking appropriate measures may be more costly than you think…

Here’s why.

Ever heard of the Personal Data Protection Act? It establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data.

Still think it doesn’t apply to you? 

If you collect, use or disclose the personal data of people in Singapore, PDPA applies to you, even if you are not based in Singapore.

The purpose of the Personal Data Protection Act (PDPA) is to balance the privacy rights of individuals with the rights and requirements of businesses to use the personal data of those individuals for legitimate reasons.

That’s right! As a business, you are obligated by law to comply with this act. 

Back in 2019, a fine of $1,000,000 imposed on SingHealth and IHiS for breach of the Personal Data Protection Act. This was following the cyberattack on SingHealth’s patient database system, where it was found that IHiS had failed to take adequate security measures to protect the personal data in its possession. 

My business isn’t as high profile as SingHealth, the government won’t catch me one! 

Tuition agency Championtutor was fined $5,000 for failing to appoint a data protection officer and did not have written policies and practices to ensure its compliance with the PDPA.

Slightly more interested now? Read on to find out what you are obligated to do!

Data Protection (PDPA) Obligations 

Information adapted from Singapore Legal Advice.

Obligations of PDPA

PDPA lists nine core obligations that organisations must meet when collecting, processing and disclosing data.

1. Consent. You can only collect, use and/or disclose the personal data of individuals who have consented to such collection, use and/or disclosure. 

Ever wondered why your inbox is flooded with newsletters that you didn’t consciously subscribe to? 

You’ve likely fallen prey to the sneakily pre-checked “subscribe” option, resulting in you unknowingly consenting to all the promotional messages from the organisation!

To counteract these issues, the PDPA requires that customers must voluntarily give their consent through an opt-in mechanism rather than an opt-out failure.

2. Purpose. Your customers should not be required to consent to the collection, use, and/or disclosure of their personal data beyond what is reasonable for your organisation to provide a particular product or service!

3. Notification. Your customers should be informed of the purpose(s) of which their personal data is being collected, used and/or disclosed.

4. Access and correction. Your organisation is obliged to provide information to individuals, upon request and as soon as reasonably possible on:

  • What personal data of theirs is in your organisation’s possession or under its control 
  • How their personal data has been used or disclosed within 1 year of the request

Should there be a request to rectify any error or omission in his/her personal data, it should be rectified as soon as possible!

5. Accuracy. Your organisation must take reasonable steps to confirm that the data you store on customers is accurate if you plan to use their personal data to make decisions regarding the customer or disclose the personal data.

It can be done by verbal or written confirmation from the customer or by taking extra steps to verify data from a third-party provider!

6. Protection. Your organisation should put into place security measures to protect the personal data in its possession or control to prevent any unauthorised access, collection use and/or disclosure of such data.

Some recommended courses of action recommended by the PDPC are:

  • Ensuring computer networks are secure
  • Adopting appropriate access controls
  • Encrypting personal data

7. Retention. Your organisation should only retain personal data for as long as it is necessary for business or legal purposes. Beyond that, you may be at risk of breaching the Retention Limitation Obligation!

8. Transfer. If your organisation is transferring personal data overseas, ensure that the country to which the data is being transferred offers a comparable level of data protection as is provided by the PDPA. 

9. Openness. Your organisation should be open to sharing information about its data protection practices, policies and complaints processes upon request.

PDPA Singapore Checklist

Information adapted from Privacy Ninja.

Want to know where your business stands with regards to the readiness of Personal Data Protection Act (PDPA) compliance?

Take our PDPA checklist as a starting point to evaluate your businesses readiness before you take more actionable steps!

PDPA Checklist #1: Governance and Transparency

Does your organisation…

  • Have policies and practices in place to manage personal data?
  • Communicate its data protection policies and practises to relevant internal and external stakeholders?
  • Regularly review and update data protection policies and practices, and monitor compliance of practices with these policies?
  • Receive and respond to queries on the collection, use and disclosure of personal data by your organisation?
  • Conduct risk and impact assessments to identify, assess and address data protection risks?
  • Take into account Data Protection by Design in the development of a product, service, system or process?
  • Have a data breach management plan?
  • The plan should include the following:
    • Personnel on management of data breach incident
    • Timeline for reporting data breach incident
    • Processes for notifying affected individuals/organisations and relevant regulators/enforcement authorities
  • Have a Data Protection Officer (DPO) who is well versed in your data protection policies and PDPA? Is the business contact information of the DPO made available to the public?
  • Conduct regular training to employees on company’s data protection policies and practices?

PDPA Checklist #2: Management of Personal Data

Does your organisation…

  • Ensure that the personal data collected is necessary for the purpose, and individuals are notified of the purposes on or before the collection of their personal data?
  • Obtain consent for the collection, use or disclosure of personal data?
  • Ensure proper use and disclosure of personal data collected?
  • Ensure that the transfer of data overseas is in compliance with PDPA?

PDPA Checklist #3: Care of Personal Data

Does your organisation…

  • Have appropriate security measures in place to prevent unauthorised access, collection and use of its personal data in its possession or under its control?
  • Have appropriate data retention policies for different types of personal data?
  • Have processes in place to handle unsolicited personal data?
  • Have processes in place to dispose of personal data?
  • (This also applies to 3rd parties in possession of its personal data.)
  • Ensure that its personal data is accurate and that personal data disclosed to other organisations is accurate and complete? How does your organisation deal with inaccurate data?

PDPA Checklist #4: Individual’s Rights

Does your organisation…

  • Provide information on how individuals may withdraw consent on the use of their personal data and the consequences of withdrawing the consent?
  • Provide information on how individuals can request access to their personal data and has a process in place to respond to their request?
  • Provide information on how individuals can correct their personal data under its possession?

Data Protection (PDPA) Breach

Information Adapted from (Personal Data Protection Commission) PDPC.

Data Protection (PDPA) Breach

Data breaches can occur due to various reasons, such as malicious activity, human error or computer system error. Naturally, it is important for organisations to put in place measures which allow them to monitor and take pre-emptive actions before data breaches occur. 

An organisation should act swiftly as soon as it is aware of a data breach, whether suspected or confirmed. 

The Personal Data Protection Council (PDPC) provided a C.A.R.E framework for actions to be taken after a data breach.

C: Contain data breach to prevent further compromise of personal data

A: Assessing the data breach by gathering the facts and evaluating the risks, including the harm to affected individuals. Take necessary efforts to prevent further harm even as the organisation proceeds to implement full remedial action.

R: Reporting the data breach to the PDPC and/or affected individuals, if necessary.

E: Evaluating the organisations’ response to the data breach incident and consider the actions which can be taken to prevent future data breaches. 

What should I do to ensure compliance with the PDPA?

Long story short, you have to create a system that makes it easy for compliance across the board.

You can do this by… 

  1. Hiring a Data Protection Officer!

No matter the size, every organisation is required by law to appoint at least one person as their Data Protection Officer (DPO), whether it is an existing or a third party. 

The role of this officer is to ensure compliance with the PDPA when developing and implementing policies and processes for handling personal data.

The job scope of the DPO typically consists of:

  • Audit current company practices and policies around data collection (both physically and electronically)
  • Handle queries and complaints relating to data protection, encourage a culture of data security (Foster a data protection culture among employees and communicate personal data protection policies to stakeholders, foresee and act on any possible risks in the management of personal data, liaise with the PDOC if required, and more.) 

Failure to do so risks a fine of up to 1 million under the Act.

Your business’ DPO can be either an employee or a third-party. However, take note that your business is not exempted from fulfilling its data protection obligations just because you have appointed a DPO for it.

To comply with the act, you can choose to appoint someone within your organisation, hire a DPO or outsource it as long as the person or organisation understands your IT processes.

Outsourcing DPO Services in line with PDPA

Want to add an extra layer of accountability and support for your organisation? 

Outsourcing might just be the solution for you.

  1. An independent standpoint can allow for expert and objective advice! Self-evaluation often causes bias and leniency towards your own company, resulting in little to none getting done to improve compliance!
  2. Independence is also well received by regulatory authorities. Engaging an independent stakeholder to evaluate and implement data protection measures indicates to the authorities and consumers that tour business is transparent and accountable!
  3. Usually includes a whole team of experts! Outsourced DPO services are usually delivered to multiple clients, allowing your DPO to bring good practice lessons from their whole client base to your compliance team.

Take your business to the next level with Search Engine Optimisation (SEO)!

Ensuring compliance with the PDPA creates accountability for your business, but it shouldn’t end there! Every business serious about expanding market reach needs an SEO specialist to reach their target audience.

At GENIA, our mission is to turn your business into a content hub and help your business establish an authoritative website, “an established resource centre for a particular niche”, where people go to whenever they require information from that particular industry. 

The best way to do so is by generating traffic to your page consistently and sustainably, and the only way to do so is to generate organic traffic through smart  SEO planning, powered by strong and relevant content.

Contact us to find out how we can help grow your business while keeping in line with the PDPA!

Share This