Singapore reached its first data protection milestone with the passing of the Personal Data Protection Act (PDPA) on Oct. 15, 2012.
Data protection is not foreign to Singapore businesses, with the banking, health, and telecommunications sectors already having some form of data protection legislation. However, this represents the first general data protection legislation which cuts across all industries, except the goverment.
Very quickly, the MPs in Parliament warned that big companies with resources would be able to handle the new legislation with ease but smaller ones would be faced with mounting costs. Is there any truth in such assertions?
To answer that, we only have to look back to 2004 when Singapore passed its first Competition Act. A similar piece of general legislation which cuts across all industries, the Competition Act had a transition period before enforcements took root and a number of parties were hauled up for investigation.
A brief glance at the enforcement decisions investigated reveals modelling agencies, the medical profession, foreign domestic worker agencies, bus tour companies, pest control providers, and engineering sub-contractors, were among those hauled up. The demographic suggests local small and midsize enterprises, rather than larger entities, were more susceptible to breaches of the Competition Act.
The similarities with the PDPA suggest the demographic of those vulnerable will not be any different this time around. It is not hard to figure out why--local entities have been comfortable with operating in a non-competition, regulated, and non-privacy regulated environment. The introducton of general legislation is akin to hiring a vegetarian to work in a steakhouse.
Education and consultation are cited as measures to smoothen the introduction of the PDPA, but these were also done when the Competition Act was introduced.
Will these be adequate this time around? Otherwise, a cultural shock of sorts lie in wait for many Singapore companies.