The PDPA (personal data protection act) is a law that requires companies in Singapore to obtain the consent of user before they collect, use or share their personal data.
The PDPA became effective on 2nd July 2014. Before that, Singaporean companies had six months to familiarise themselves with the new rules. This period also allowed the companies to align their data protection policies and practices so that they comply with the personal data protection act.
The Formation of the Personal Data Protection Act
During the drafting of PDPA, the primary point of reference was the data protection laws in countries that already had a similar system. These nations included the UK, Canada, Australia, New Zealand, and Hong Kong.
Later, the panel overseeing the drafting process conducted three public consultations to seek the opinion of the masses concerning their proposed data protection act. The feedback was mostly positive, and this led to the introduction of the PDPA.
What is Personal Data?
According to the PDPA, personal data is information, true or false, about an individual that can be identified from that data. It also refers to data that when combined with other information, can lead to the identification of an individual.
How the PDPA Works
The PDPA is a set of rules that govern the collection, use, disclosure and protection of personal data. It gives the user the rights to protect their personal data.
An individual can easily access their data after collection and request a correction if it has errors. Also, a company must have the consent of the user if they wish to share this data with third-parties.
Besides consent, a business must inform the user why they are collecting the personal data, as well as how they plan to use it.
Additionally, the PDPA specifies that a business can collect, use or share the personal data for purposes that are deemed reasonable in the prevailing circumstances.
Objectives of the Personal Data Protection Act
In this digital era, the majority of companies in Singapore collect, use and sometimes share massive volumes of personal data in their daily operations. This trend is expected to persist in the future, as advancements in technology make it easier to process large amounts of data.
However, individuals now have concerns over who has access to their private information. The primary objective of the PDPA is to ease these concerns by controlling the way these companies collect, use and share users’ private data.
By regulating the flow of personal data, the PDPA intends to cement Singapore’s status as a trusted global hub for business.
How to Implement PDPA in Your Company
Now that you know how PDPA works and its objectives, here are the best ways of ensuring that your business is compliant with this data protection law.
Obtaining Users’ Consent
The safest way of obtaining PDPA consent is by requesting the customer to sign or acknowledge the collection, use and disclosure of their personal data.
If your website has opt-in forms, remember to include a footnote that informs the user that your company intends to collect, use and share the data with third parties (where applicable). You should also specify the purpose of the data collection. Keep in mind that you need separate consents if you intend to use the data for multiple purposes.
The PDPA also stipulates that you cannot compel the users to give you consent so that you subscribe them to a particular product. For instance, if a customer refuses to provide their email address, you cannot bar them from purchasing items on your website. The only exception to this rule is if the information they refuse to provide is critical for that specific transaction.
If you want to send promotional emails and other offers to your clients, make sure that you include a checkbox below your opt-in form. The customer can then choose whether to subscribe to your promotion or not.
Is it Mandatory to Obtain Consent?
Interestingly, there are some situations where it is not mandatory to obtain consent. The PDPA rules state that a user who voluntarily shares their personal data for a specific purpose in reasonable circumstances is deemed to have given consent for the collection, use and sharing of such data.
If your team collects large amounts of data from many users, it might be impractical to reach every individual to obtain consent. In such a scenario, you should seek advice from an attorney who has an excellent understanding of data protection laws.
There are several other exceptions regarding the methods of collecting, using and disclosing private data. Always consult the PDPA rules before proceeding on this front. You can also seek legal advice if you find it challenging to grasp the law.
Withdrawal of Consent
The PDPA allows users to revoke consent any time they deem it right. If a user wishes to withdraw consent, they must first inform you of their intentions through an email. You are then required to respond to the request, indicating what you intend to do to the user’s personal data.
If the user confirms the withdrawal request, you must delete the data entirely from your systems. You should also inform other companies that you might have shared the information with to follow suit. An example of a withdrawal of consent is when customer unsubscribes from your promotional offer mailing list.
What If You Do Not Comply With PDPA?
Failure to comply with the PDPA regulation attracts a fine of up to S$1 million. Besides, the oversight authority might order you to delete the data, stop using it or hand it over to a third-party.
How PDPA Has Made Marketing Difficult For SMEs
Offline marketing is the traditional mean of approaching your potential customers and usually small businesses contact marketing companies to buy prospect lists so they can reach to their target audience. However, there are many flaws associated with this approach besides cold calling strangers and trying to persuade them into something. PDPA (Personal Data Protection Act) in Singapore and APPs (Australian Privacy Principles) have made things difficult for small businesses because now not only they have to be in compliance with the law but the fines for breaking the laws are too high.
Direct marketing or offline marketing has become difficult because of these main reasons.
- Small businesses cannot possibly afford equipments and means for adequate date protection. This is not just about protecting the company’s data at whole from hackers and cyber criminals but it also includes the privacy of customers’ data being intact even during the day to day operations. The data should be encrypted all the time and unnecessary data should be deleted securely.
- Insufficient background information of the marketing company is also a big hurdle. While purchasing the prospect lists, small businesses need to do background check of the vendor and the process could be costly, time consuming and even ineffective in some cases. The buyers must know how the list was curated and how the data was collected.
- Privacy laws are continuously evolving and businesses need to keep themselves updated all the time. For small businesses, it could be a problem as they need to hire specialized staff for this purpose.
The alternative is online marketing strategies which have proven themselves not only cost efficient but also more effective than direct marketing strategies. Some of the marketing tactics are publishing great contents, interacting with customers and potential buyers via social media, creating videos to attract viewers, use infographics and developing an attractive website.
Your business website is your online identity and that’s the first thing your potential customers would see while searching for the products or services you offer. Make sure you have a catchy domain name and your website is responsive and performs well. Create a separate section for contents on your website and post great contents there regularly.
It could be once per day or even once per week but make sure it is periodic because search engines like Google love seeing regular activities on websites. Not only search engines but people would also like to see new contents on the website. You don’t have to adopt sale tone in your contents but the purpose of articles and blogs on your website is to provide value and valuable information.
Once in a while you can mention your products or services but that’s it. Social media can help you reach your target audience based on their age, sex, marital status, geographical location and other factors. You can target ads specifically to those people to increase your conversion rate.
Handling large volumes of personal data is a challenging task. With the ever-increasing concerns among users over the security of their personal data, complying with PDPA can be useful to your business in Singapore.
Customers are more likely to trust and transact with a company that guarantees the safety of their personal information. Also, adhering to these rules ensures that you remain on the right side of the law.