Data protection bill to impact S'pore biz processes

Companies should review how user data is harvested, used and stored to stay compliant ahead of country's approval of Personal Data Protection Act, observers note.
Written by Ellyne Phneah, Contributor

As the final round of consultation for Singapore's data protection bill gets underway, industry observers point out that businesses need to start revamping internal processes and procedures, use data differently and change the dynamics of relationships with customers in order to stay on the right side of the law.

Singapore's Ministry of Communications and the Arts (MICA) opened the proposed Personal Data Protection Act (PDPA) for the third, and final, round of consultation in March, following two earlier consultations on the proposed bill.

Based on feedback from the earlier consultations, key highlights include a "sunrise" period of one to two years before the law takes effect for organizations, and a Do Not Call (DNC) Registry, which people can sign up to get marketing companies to refrain from calling them.

Other feedback include getting organizations to explicitly seek the consumer's consent before they are able to collect, use or disclose a person's personal data as well as setting up a Data Protection Commission to investigate and issue penalties, MICA revealed.

Review internal processes, use of data
Commenting on the PDPA and its implications, Indranee Rajah, director of dispute resolution department at Drew & Napier, pointed out that the proposed bill will strike a balance between the need of organizations to collect, use, or disclose personal data for reasonable purposes and the right of individuals to have their personal data protected.

"It will impose obligations on organizations to act responsibly in the collection, use and disclosure of individual's personal data," she said. Rajah is also currently an elected Member of Parliament (MP) of Singapore.

Elaborating, she said businesses will have to designate a position within their ranks to oversee compliance and obligations under the Act are met. This person would also have to develop practices and policies to comply with the PDPA, especially over the "sunrise" period, she added.

Elle Todd, a partner at law firm Olswang, stated that businesses will have to relook and develop new internal processes and procedures on how they collect and use personal data.

In particular, attention must be paid to how they obtain consumers' consent before the data can be used, as well as how data is stored and used to ensure proper safety measures are met, she added.

With regard to external suppliers and contractors with access to the company's trove of customer data, she said companies need to review existing contracts to ensure they pass on the necessary obligations to their partners so that compliance is met at all levels of the supply chain.

Rajah explained that if an organization has collected personal data from individuals for any particular purposes before the Act is enforced, it can continue using the data collected for the purpose it was obtained. However, if the data is used for a different purpose after the PDPA is approved, it may have to obtain fresh consent from the individual, she stated.

As for the DNC Registry, internal training must be conducted to ensure employees understand and comply with their new obligations and marketing lists are checked against the registry's name list, Todd noted.

Should there be any doubts regarding marketing and outreach initiatives that involve using people's personal data, Rajah suggested organizations seek legal counsel or get guidance from the Data Protection Commission first before embarking on them.

Additionally, Jean Philippe Desbiolles, consulting partner at IBM's global business services arm, called on businesses to change the way they interact with customers to stay within the boundaries of the PDPA.

This would mean be transparent and foster trust with customers by informing them on how they plan to use the data, so that people would be more willing to voluntarily share their personal information, he noted.

One local organization, DBS, said it has been following the developments of the data protection bill closely. "We have started reviewing our practices and will ensure that these are in line with the finalized proposal," a spokesperson said, who declined to elaborate on how it was doing so.

Meanwhile, consumers ZDNet Asia spoke to have adopted a wait-and-see approach to the impending bill.

Student Jasper Tan, for one, noted that he is looking forward to sign up with the DNC Registry in order to stop receiving phone calls from "telemarketing pests". That said, he would be open to sharing his data if the products or services offered give him more value for his money.

Lim Suet Hua, a housewife, however, said she would not be comfortable sharing her data with companies and was "skeptical" how the Act was going to be enforced due to the lack of information given at the moment.

"Until businesses have adjusted their procedures according to the Act, you never know what these companies will do to your data," she said.

Editorial standards