Thanks to its close relationships with the EU, the US, and with other Asian countries, Singapore remains a major player on the world stage. For many domestic and international businesses alike, these close relationships create an obligation to ensure your organisations compliance with Singapore’s data protection laws.
What exactly are those laws? More importantly, what does your organisation need to do about them? Read on to find out…
When the General Data Protection Regulation came into force in May 2018, it did much more than force organisations to address privacy compliance as it related to their operations within the European Union itself.
It also prompted many of those organisations to examine data protection laws in other areas where they operate and reevaluate whether the processes, policies and procedures they had in place were still effective and sufficient in adhering to those laws.
Namely, it forced those organisations to ask three key questions about international privacy compliance concerning their global operations:
● Are we doing all we can to ensure complete compliance with laws in every area where we do business?
● What similarities are there between the separate data protection laws we need to comply with?
● How can we best utilise those similarities to better ensure global compliance?
One of the first countries many organisations looked at as part of this ongoing assessment was, of course, Singapore.
The Southeast Asian Island ships an estimated $373.2 billion US dollars worth of products internationally each year, with nearly $25 billion of that alone going to the United States and almost as much going, collectively, to EU member states.
All said, this makes it the EU’s 14th largest global trading partner and its largest overall trading partner from the Association of South-East Nations (ASEAN).
Ultimately, what this close relationship between the two areas means is that there almost as many EU-based enterprises with interests in Singapore as there are Singapore-based companies with interests in the European Union.
In fact, in the run-up to the GDPR deadline on May 25th, 2018, Singaporean enterprises made up a significant percentage of the client base of our own international data protection consultancy here at Relentless Privacy & Compliance Ltd.
Three fundamental questions global organisations with operations in Singapore or offer services to Singaporean residents are:
● How do those laws affect your business?
● What compliance measures do you need to put in place?
● How can you put those measures in place in a way that aligns with GDPR and other international privacy laws affecting your organisation?
Today, we draw on our years of experience in providing data protection consultancy in Singapore, the EU and around the world to answer all of those questions and more.
First, however, let’s start with the one question that’s perhaps most important of all.
What is Singapore’s data protection law?
Data protection in Singapore is governed by the Personal Data Protection Act (PDPA).
Drawing on other laws and guidelines such as the former UK Data Protection Act and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the PDPA was passed into law in October 2012 and rolled out in four distinct phases over the course of the next two years in order to give businesses plenty of time to achieve compliance.
The last of these phases was introduced on July 2nd, 2018 and has been in force ever since.
How does PDPA impact businesses?
At the heart of PDPA is an effort to balance the privacy rights of individuals with the rights and requirements of businesses to use the personal data of those individuals for legitimate reasons
What’s important to note here -especially if your only familiarity with the concept of personal data comes from GDPR- is how Singapore treats that personal data differently from Europe.
Both GDPR and PDPA class personal data as anything which identifies or could identify an individual. However, there’s a notable difference in the way the rules apply to that data.
Under GDPR, there are one set of rules governing the collection, use and disclosure of all personal data, including general data types like a person’s name, address, or contact details. There is also then a second set of rules concerning sensitive personal information, or what it calls special category data.
The Information Commissioner’s Office (ICO) has a list of all the data types that are classed as special category data, though to give you a quick example, this applies to things like biometric data (fingerprints etc), genetics, and health records.
PDPA, meanwhile, doesn’t differentiate between categories of data, so biometric data is treated every bit the same as someone’s address or telephone number.
PDPA also considers the following to be types of personal data.
● A person’s voice (such as that captured in a recording)
● Photographs or video footage of a person
● DNA profile
● National Registration Identity Card (NRIC) number.
What about B2B data?
If there’s one question we get asked the most here at Relentless Privacy & Compliance, it’s how data protection laws apply to information collected in a business-to-business (B2B) setting, such as a person’s office telephone number or their company email address.
Again, GDPR and PDPA differ here.
Concerning GDPR and B2B data, the ICO has this to say:
“If you can identify an individual either directly or directly, the GDPR will apply – even if they are acting in a professional capacity.
“For example, if you have the name of a business contact on file or their email address identifies them (such as firstname.lastname@example.org), the GDPR will apply.
“It only applies to loose business cards if you intend to file them or input the data into a computer system.”
PDPA takes a different approach.
It does not class business contact information as personal data unless a person decides to use that data for personal reasons.
For example, if a person registers for a gym membership for personal use but signs up using their company email address, that address would be deemed to be personal data and would have to be dealt with in accordance with PDPA.
How does PDPA protect personal data?
Now that we have a better idea as to what PDPA classes as personal data, let’s look at what it actually does to protect that data.
In essence, there are two primary mechanisms that businesses need to be aware of:
● Data Protection Obligations
The Do Not Call (DNC) Registry
The DNC is essential three individual registries covering telephone contact, text messages, and fax messages.
Individuals can register a landline, mobile, or fax number with the appropriate registry. Once they do, organisations are not allowed to contact them on that number for marketing purposes.
If your business uses telemarketing or similar strategies within Singapore, this means that you will have to apply for a DNC Registry checking account, which costs $30 SGD (roughly £17 GBP) for companies based within Singapore and $60 SGD (£33 GBP) for international business.
From there, you’ll be required to submit the list of numbers that you plan on contacting so that they can be checked against the registry.
If a number comes back as being on the Registry, you will not be able to contact that number.
If it isn’t on the registry, you can contact that number for marketing purposes for up to 30 days, after which time you will have to resubmit a checking request.
The one exception to this rule is if you can prove that an individual has given you express consent to contact them via a number which is included on the DNC Registry.
Tune into our Singapore PDPA part two where we will discuss 1: Data Protection Obligations, 2: Role of the Data Protection Officer, 3: Who does the PDPA apply to, 4: What to do if it applies to your business,