The PDPA (personal data protection act) is a law that requires companies in Singapore to obtain the consent of user before they collect, use or share their personal data.
The PDPA became effective on 2nd July 2014. Before that, Singaporean companies had six months to familiarise themselves with the new rules. This period also allowed the companies to align their data protection policies and practices so that they comply with the personal data protection act.
The Formation of the Personal Data Protection Act
During the drafting of PDPA, the primary point of reference was the data protection laws in countries that already had a similar system. These nations included the UK, Canada, Australia, New Zealand, and Hong Kong.
Later, the panel overseeing the drafting process conducted three public consultations to seek the opinion of the masses concerning their proposed data protection act. The feedback was mostly positive, and this led to the introduction of the PDPA.
What is Personal Data?
According to the PDPA, personal data is information, true or false, about an individual that can be identified from that data. It also refers to data that when combined with other information, can lead to the identification of an individual.
How the PDPA Works
The PDPA is a set of rules that govern the collection, use, disclosure and protection of personal data. It gives the user the rights to protect their personal data.
An individual can easily access their data after collection and request a correction if it has errors. Also, a company must have the consent of the user if they wish to share this data with third-parties.
Besides consent, a business must inform the user why they are collecting the personal data, as well as how they plan to use it.
Additionally, the PDPA specifies that a business can collect, use or share the personal data for purposes that are deemed reasonable in the prevailing circumstances.
Objectives of the Personal Data Protection Act
In this digital era, the majority of companies in Singapore collect, use and sometimes share massive volumes of personal data in their daily operations. This trend is expected to persist in the future, as advancements in technology make it easier to process large amounts of data.
However, individuals now have concerns over who has access to their private information. The primary objective of the PDPA is to ease these concerns by controlling the way these companies collect, use and share users’ private data.
By regulating the flow of personal data, the PDPA intends to cement Singapore’s status as a trusted global hub for business.
How to Implement PDPA in Your Company
Now that you know how PDPA works and its objectives, here are the best ways of ensuring that your business is compliant with this data protection law.
Obtaining Users’ Consent
The safest way of obtaining PDPA consent is by requesting the customer to sign or acknowledge the collection, use and disclosure of their personal data.
If your website has opt-in forms, remember to include a footnote that informs the user that your company intends to collect, use and share the data with third parties (where applicable). You should also specify the purpose of the data collection. Keep in mind that you need separate consents if you intend to use the data for multiple purposes.
The PDPA also stipulates that you cannot compel the users to give you consent so that you subscribe them to a particular product. For instance, if a customer refuses to provide their email address, you cannot bar them from purchasing items on your website. The only exception to this rule is if the information they refuse to provide is critical for that specific transaction.
If you want to send promotional emails and other offers to your clients, make sure that you include a checkbox below your opt-in form. The customer can then choose whether to subscribe to your promotion or not.
Is it Mandatory to Obtain Consent?
Interestingly, there are some situations where it is not mandatory to obtain consent. The PDPA rules state that a user who voluntarily shares their personal data for a specific purpose in reasonable circumstances is deemed to have given consent for the collection, use and sharing of such data.
If your team collects large amounts of data from many users, it might be impractical to reach every individual to obtain consent. In such a scenario, you should seek advice from an attorney who has an excellent understanding of data protection laws.
There are several other exceptions regarding the methods of collecting, using and disclosing private data. Always consult the PDPA rules before proceeding on this front. You can also seek legal advice if you find it challenging to grasp the law.
Withdrawal of Consent
The PDPA allows users to revoke consent any time they deem it right. If a user wishes to withdraw consent, they must first inform you of their intentions through an email. You are then required to respond to the request, indicating what you intend to do to the user’s personal data.
If the user confirms the withdrawal request, you must delete the data entirely from your systems. You should also inform other companies that you might have shared the information with to follow suit. An example of a withdrawal of consent is when customer unsubscribes from your promotional offer mailing list.
What If You Do Not Comply With PDPA?
Failure to comply with the PDPA regulation attracts a fine of up to S$1 million. Besides, the oversight authority might order you to delete the data, stop using it or hand it over to a third-party.
Handling large volumes of personal data is a challenging task. With the ever-increasing concerns among users over the security of their personal data, complying with PDPA can be useful to your business in Singapore.
Customers are more likely to trust and transact with a company that guarantees the safety of their personal information. Also, adhering to these rules ensures that you remain on the right side of the law.