While the first decade of the 2000’s was about creating new ways to share information online, the second has been about reigning in too much sharing and the protection of personal data. A number of data protection regulations have been put into place in recent years including GDPR in the EU and one in Singapore.
If your company collects, uses, or discloses personal data of employees or customers, then you’ll want to ensure you’re in compliance with Singapore’s Personal Data Protection Act (PDPA), which was enacted in 2012. PDPA was created to control the disclosure of personal data and contains a variety of rules governing its collection, use, disclosure, and care. The act tries to balance the following:
- The rights of individuals to protect, access, and correct their personal data
- The needs of organizations to collect, use, or disclose personal data for legitimate purposes
At Managed IT Asia we’ve been helping small businesses with data privacy compliance since these regulations first came into effect and have helped them do it affordably. Through our Managed IT Security solutions we address multiple threats that might plague their IT assets in order to keep them protected from a data breach. Read on for a primer on the key points of the Singapore Personal Data Protection Act and steps to take at your company to stay in compliance.
What Should My Company Know About Singapore’s PDPA?
The PDPA is applicable to personal data that is stored in both electronic and non-electronic forms. It includes a number or provisions for proper handling of personal information to ensure its not disclosed improperly and that if a data breach occurs, notifications are carried out expeditiously. Small businesses will find general PDPA reference guides for the regulation that cover areas of data protection, such as:
- Policies notification to individuals
- Securing personal data electronically
- Managing data breaches
- Passing of magnetic stripes of payment cards through a reader
- Handling data access requests
- Building websites for small or medium enterprises (SMEs)
- Disposal of personal data on physical mediums
- Preventing accidental disclosure during transmission
- Developing a data protection management programme
Another notable inclusion in the Personal Data Protection Act is a Do Not Call (DNC) Registry which is designed to reduce the number of unwanted telemarketing calls, marketing text messages and faxes. So, businesses using these mediums for attracting new business will need to ensure they check the DNC registry.
Penalties for Non-Compliance with PDPA
If your business is found to be out of compliance with the PDPA, it can mean a stoppage of part of your business that relies on personal data collection (such as payment card collection) and/or a monetary fine. Penalties that the Personal Data Protection Commission can impose on organisations that aren’t in compliance can include requiring the business to:
- Cease collecting, using, or disclosing personal data that’s in violation of PDPA
- Destroy personal data collected in contravention of PDPA
- Provide access to or correct the personal data
- Pay a financial penalty, not to exceed $1 million
IT Security Tips to Keep You in Compliance with Data Protection Regulations
Solid security practices can ensure you’re in compliance not only with Singapore’s PDPA, but also any other data security regulations that your business may be subject to from other countries. Here are some of the key best practices for proper personal data collection, handling, and protection.
Obtain Consent
You need to clearly let individuals know when their data is being collected and for what purpose and give them the opportunity to opt-in or opt-out. An example would be that if you have a field on your contact form to “sign up for company updates” that the box us defaulted to unchecked, so users need to take an action to opt-in.
Keep Data Use Reasonable
The PDPA looks at the legitimate and reasonable purposes for personal data collection and use. You want to ensure you’re using and disclosing that data for only those purposes that are necessary and not to go beyond the original intent for which the consent was initially obtained.
Access to Delete or Correct
Individuals must be given a way to have their personal data deleted and corrected, so these instructions should be clearly provided on your website or other materials related to personal data collection.
Proper IT Security
Organisations collecting, storing, and transmitting personal data should have reasonable safeguards in place including proper IT security to protect from data breaches, secure backup and storage systems, and personnel guidelines for handling of personal information.
Retention and Disposal Guidelines
Data should be destroyed or anonymised when it is no longer needed for any business or legal purposes. This means that your company should have guidelines in place for how long personal data is retained and how it is to be destroyed.
Make Timely Notifications
If a data breach occurs that has exposed personal data, have a plan in place for notification so it can be done in a timely manner and restorative steps can be taken as soon as possible to repair the damage.
Create a Clear Cybersecurity and Data Protection Policy
Take time to put together a cybersecurity and data protection policy at your organisation. This ensures that all your bases are covered when it comes to compliance with PDPA or another data privacy regulation. It will also help to greatly reduce the chance of a costly data breach and keep all your data better protected.
Need Help with a Strong Data Security Plan?
Managed IT Asia offers a number of managed IT solutions for small businesses that include protections to help you stay in compliance with data privacy regulations and keep your company’s network safe from a breach. Contact us today to schedule a free IT security consult at +65 6748 8776 or reach out online.
MANAGED IT ASIA, we are an IT Support, IT Solutioning and Managed IT Service Provider specializing in serving Small Businesses across Asia. Call us at +65 6748 8776 and let us manage your Small Business IT today!