PDPA COMPLIANCE: THE TIME IS NOW
by Rishi Gantan (Ella Cheong LLC)
Data protection laws in Singapore are relatively new, as the Data Privacy Provisions of the Personal Data Protection Act (“PDPA”) came into force barely 2 years ago, shortly after the “Do Not Call” (“DNC”) regime was implemented.
However, compliance under this new law is stringent and many companies still are unaware of their vulnerabilities to a potential breach of their obligations under the PDPA.
In this digital age, millions of individuals’ personal information is being stored by banks, hospitals, internet service providers and other service providers. Even SME’s are not spared and are held to strict compliance.
There are numerous issues that have to be tackled in relation to more efficient data protection. What are the commons mistakes by made by organizations that result in personal data leaks?
Take a fictional character example, Ben, a marketing executive. Ben is tabulating a list of client details for his marketing agency. These include individuals’ telephone numbers and names. However Ben makes a typographical error when he printed out a draft list. What did Ben do? He simply crushed up the printed draft list into a ball and dumped it into his trash basket. Are there any adverse issues with this act? Yes.
All the clients’ personal data, albeit in a crushed waste paper, are still a potential threat to the safety of personal data as this information may be recovered by third parties when the waste paper is recovered. It is hard to imagine anyone rummaging through garbage for valuable personal data, but the possibility of such a leak could be sufficient to breach the PDPA.
This may seem obvious but how many firms and companies simply dispose of waste paper regardless of what information is contained in them? This alone might put many organizations in danger of breaching the PDPA. However, this issue is only the tip of the iceberg.
Recent cases in Singapore emerged where numerous organizations were issued warnings or fines by the Personal Data Protection Commission (“PDPC”), Singapore’s main administration and enforcement body of the PDPA.
In a well reported case, the PDPC imposed financial penalties of S$50,000 on KBox Entertainment Group (KBox) and S$10,000 on its data intermediary, Finantech Holdings respectively. KBox was deemed to have provided personal data information to Finantech Holdings without implementing sufficient data protection clauses and obligations onto Finantech Holdings for adequate protection under the PDPA. The compliance failure of Kbox resulted in unauthorised disclosure of the personal data of 317,000 KBox members. With that said, what can local companies do in the face of such real compliance risk?
Firstly when organizations are required to deal with third party data intermediaries (like Finantech Holdings), they should ensure that there are adequate contractual safeguards in relation to the handling of the personal data transferred to them. Appointing a competent Data Protection Officer (“DPO”) might be an important step to ensure such compliance issues are sorted out. The appointed DPO could stress and educate the importance of PDPA compliance with the relevant data intermediaries and conduct regular monitoring to ensure adequate data protection compliance.
The PDPA empowers the PDPC to issue financial penalties of up to S$1,000,000.
Dr Yacoob Ibrahim, Minister for Communications and Information, highlighted at a recent Personal Data Protection Seminar that it is no longer an option to treat data protection as an afterthought. With the rise in the number of organizations having actions taken by the PDPC against them, it might be time for all organizations to take the PDPA more seriously and ensure adequate compliance when handling personal data and sufficient measures are in place to protect such data. The recent actions taken by the PDPC against the numerous organizations is an urgent reminder to us all of the adverse consequences of PDPA noncompliance.
The consequences for noncompliance of the PDPA may result in more the just financial penalties. There could be increased time and financial costs of organizations having to deal with numerous client/customer complaints in the event of a suspected data breach. Furthermore, there is the negative publicity that could have adverse effects on organizations when the PDPC takes action for PDPA noncompliance. Clients/customers might lose the trust and confidence in organizations in the event of a personal data leak, and this may ultimately lead to loss of business and revenue down the line.
Now might be a good time to assess your organizations’ internal policies to ensure that PDPA compliance is sufficiently adhered to. Data protection compliance review is not an option and should not be taken as a mere afterthought. PDPA compliance review is essential. And the time is now.