Data Protection in Singapore: How PDPA Impacts Your Business
Thanks to its close relationships with the EU, the US, and with other Asian countries, Singapore remains a major player on the world stage. For many domestic and international businesses alike, these close relationships create an obligation to ensure frictionless compliance with Singapore’s data protection laws.
What exactly are those laws? More importantly, what does your organisation need to do about them? Read on to find out...
When the General Data Protection Regulation came into force in May 2018, it did much more than force organisations to address privacy compliance as it related to their operations within the European Union itself. It also prompted many of those organisations to examine data protection laws in other areas where they operate and reevaluate whether the processes, policies and procedures they had in place were still effective and sufficient in adhering to those laws.
Namely, it forced those organisations to ask three key questions about international privacy compliance:
- Are we doing all we can to ensure complete compliance with laws in every area where we do business?
- What similarities are there between the separate data protection laws we need to comply with?
- How can we best utilise those similarities to better ensure global compliance?
One of the first countries many organisations looked at as part of this ongoing assessment was, of course, Singapore.
The Southeast Asian Island ships an estimated $373.2 billion US dollars worth of products internationally each year, with nearly $25 billion of that alone going to the United States and almost as much going, collectively, to EU member states.
All said, this makes it the EU’s 14th largest global trading partner and its largest overall trading partner from the Association of South-East Nations (ASEAN).
Ultimately, what this close relationship between the two areas means is that there almost as many EU-based enterprises with interests in Singapore as there are Singapore-based companies with interests in the European Union. In fact, in the run-up to the GDPR deadline on May 25th, 2018, Singaporean enterprises made up a significant percentage of the client base of our own international data protection consultancy here at Relentless Privacy & Compliance.
So far, we’ve helped scores of businesses both in Singapore and elsewhere to create frictionless compliance with GDPR, but what about when it comes to Singapore’s data protection laws?
- How do those laws affect your business?
- What compliance measures do you need to put in place?
- How can you put those measures in place in a way that aligns with GDPR and other international privacy laws affecting your organisation?
Today, we draw on our years of experience in providing data protection consultancy in Singapore, the EU and around the world to answer all of those questions and more.
First, however, let’s start with the one question that’s perhaps most important of all.
What is Singapore’s data protection law?
Data protection in Singapore is governed by the Personal Data Protection Act (PDPA).
Drawing on other laws and guidelines such as the former UK Data Protection Act and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the PDPA was passed into law in October 2012 and rolled out in four distinct phases over the course of the next two years in order to give businesses plenty of time to achieve compliance.
The last of these phases was introduced on July 2nd, 2018 and has been in force ever since.
How does PDPA impact businesses?
At the heart of PDPA is an effort to balance the privacy rights of individuals with the rights and requirements of businesses to use the personal data of those individuals for legitimate reasons. What’s important to note here -especially if your only familiarity with the concept of personal data comes from GDPR- is how Singapore treats that personal data differently from Europe Both GDPR and PDPA class personal data as anything which identifies or could identify an individual. However, there’s a notable difference in the way the rules apply to that data Under GDPR, there are one set of rules governing the collection, use and disclosure of all personal data, including general data types like a person’s name, address, or contact details. There is also then a second set of rules concerning sensitive personal information, or what it calls special category data.
The Information Commissioner’s Office (ICO) has a list of all the data types that are classed as special category data, though to give you a quick example, this applies to things like biometric data (fingerprints etc), genetics, and health records.
PDPA, meanwhile, doesn’t differentiate between categories of data, so biometric data is treated every bit the same as someone’s address or telephone number.
PDPA also considers the following to be types of personal data.
- A person’s voice (such as that captured in a recording)
- Photographs or video footage of a person
- DNA profile
- National Registration Identity Card (NRIC) number.
What about B2B data?
If there’s one question we get asked the most here at Relentless Privacy & Compliance, it’s how data protection laws apply to information collected in a business-to-business (B2B) setting, such as a person’s office telephone number or their company email address. Again, GDPR and PDPA differ here.
Concerning GDPR and B2B data, the ICO has this to say:
“If you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. “For example, if you have the name of a business contact on file or their email address identifies them (such as firstname.lastname@example.org), the GDPR will apply. “It only applies to loose business cards if you intend to file them or input the data into a computer system.”
PDPA takes a different approach.
It does not class business contact information as personal data unless a person decides to use that data for personal reasons. For example, if a person registers for a gym membership for personal use but signs up using their company email address, that address would be deemed to be personal data and would have to be dealt with in accordance with PDPA.
How does PDPA protect personal data?
Now that we have a better idea as to what PDPA classes as personal data, let’s look at what it actually does to protect that data. In essence, there are two primary mechanisms that businesses need to be aware of:
- The Do Not Call (DNC) Registry
- Data Protection Obligations
The Do Not Call (DNC) Registry
The DNC is essential three individual registries covering telephone contact, text messages, and fax messages.
Individuals can register a landline, mobile, or fax number with the appropriate registry. Once they do, organisations are not allowed to contact them on that number for marketing purposes.
If your business uses telemarketing or similar strategies within Singapore, this means that you will have to apply for a DNC Registry checking account, which costs $30 SGD (roughly £17 GBP) for companies based within Singapore and $60 SGD (£33 GBP) for international business. From there, you’ll be required to submit the list of numbers that you plan on contacting so that they can be checked against the registry. If a number comes back as being on the Registry, you will not be able to contact that number. If it isn’t on the registry, you can contact that number for marketing purposes for up to 30 days, after which time you will have to resubmit a checking request. The one exception to this rule is if you can prove that an individual has given you express consent to contact them via a number which is included on the DNC Registry.
Data Protection Obligations
Outside of the DNC, PDPA lists nine core obligations that organisations must meet when collecting, processing and disclosing data. These include:
Consent must be gained from an individual in order to collect, process or disclose their data.
Similar to the “Right to Be Forgotten” under GDPR, individuals can withdraw their consent at any time and organisations must comply with this withdrawal.
Businesses must only collect use, or disclose an individual’s personal data for the specific purpose that the individual has consented for.
The business must inform the individuals of the purposes that the data will be collected, used, or disclosed.
4: Access and correction
Similar to data subject access requests, individuals have the right to request what data of theirs your organisation possesses or has control of. They can also request details on how that data has been used or disclosed within the past year. Organisations are legally obligated to comply with those requests, and to amend any errors or omissions unless it is reasonable not to.
Businesses must make every reasonable effort to ensure that personal data they collect is accurate and complete if that data is going to be used to make decisions which affect the individual who the data relates to, or if that data is going to be disclosed to another organisation.
Reasonable security measures must be put in place to protect any personal data which is collected. This must include technical, organisational, and any other measures as appropriate.
Organisations must only retain personal data for as long as is necessary to carry out business or legal functions.
If personal data is being transferred internationally, including being stored with cloud services based overseas, then the transfer must meet specific requirements laid out by PDPA.
Organisations must make information publicly available about the policies and procedures it uses to ensure PDPA compliance If you’re familiar with GDPR, you’ll no doubt see some similarities between the two laws when it comes to data protection obligations. Naturally, this creates some opportunity to streamline compliance measures which can result in long-term cost savings and greater efficiency. Relentless Data Privacy consultancy can help you identify key areas for such streamlining.
What role does a Data Protection Officer play in PDPA?
One key area of difference between PDPA and GDPR is within the role of the Data Protection Officer (DPO).
Under GDPR, only certain organisations are required to hire a DPO according to certain criteria. Our recent guide to hiring a DPO for your organisation lists what these criteria are.
Under PDPA, however, all businesses are required to appoint a DPO, even if they are an SMB or sole trader.
This DPO can be someone whose sole responsibility within an organisation is to manage data protection or it can be someone who combines DPO responsibilities with other key organisation tasks. Businesses also have the option of outsourcing that role to a third-party DPO service.
The Singapore government has set guidelines for the role of DPO, or Relentless Privacy & Compliance can help you determine the best option for appointing a DPO for your business.
Who does PDPA apply to?
With all this being said, the one remaining question concerns whether or not your business needs to comply with Singapore’s data protection law in the first place.
Like China’s Data Protection Standard, like GDPR, and like the California Consumer Privacy Act, PDPA applies to any and all organisations who deal with the personal data of individuals who are based in the area where that law applies. This is regardless as to where that business is primarily located. In other words, if you collect, use, or disclose the personal data of people in Singapore, PDPA applies to you, even if you’re not based in that country. There are, of course, a small number of exceptions. If you are a public agency (such as a government authority), then you are exempt from PDPA. Likewise, if your business collects, uses or discloses data on behalf of a public agency, then you too are exempt.
What to do if PDPA applies to your business
The most effective approach for any business faced with complying with multiple international privacy laws is to look at how you can avoid duplicating your efforts and create systems, policies and procedures which ensure frictionless compliance across the board.
For example, hiring a DPO to comply with PDPA could be as simple as extending the responsibilities of your existing GDPR DPO, while the technical security measures you have in place for one law could be equally as effective to help you comply with another. If you’re not sure where to start with this, the good news is that Relentless Privacy & Compliance are here to help.
We can help with:
- Serving as your DPO
- Mapping between GDPR, PDPA and other laws to reduce the costs and complications of compliance
- Acting as your organisation’s data protection representative in the EU if you’re based overseas.
And much more.Learn More