Ways PDPA Affects Data Collection and Use
Data, like oil, is a very precious commodity in today’s digital world. As being discussed in every PDPA course, the data is being traded at an alarming rate online. From the emails we send and the things we buy online, we sacrifice a lot of Personally Identifiable Information (PII) for the sake of our digital conveniences.
Online businesses are hungry for this data — data that paves the way for convincing consumer behavioural insights that can promote increased consumption of the products or services of a company.
But as companies yearn for this growing customer database, there’s a growing sense that businesses are ill-equipped to protect and handle the data that they collect. It comes from a slew of data breaches and customer data misrepresentation. Parallel to this growing sentiment is the authorities informing the public on protecting their own personal data, and submitting this information only when absolutely necessary to a particular service.
The Personal Data Privacy Commission (PDPC) in Singapore introduced the Personal Data Privacy Act (PDPA) in 2012 to govern the handling of personal data by Singapore-based organizations.
What is PDPA?
The PDPA lays down a data protection law that contains different rules regulating the collection, usage, distribution and treatment of personal data. This respects both individuals’ rights to protect their personal data, such as access and rectification rights, and organizations’ needs to obtain, use or reveal personal data for lawful and fair purposes.
Data Collection
One major PDPA provision that affects organizations is the inability to get customers permission to collect data. Organizations also now need to be frank with consumers on how information is collected. For example, they now have to write detailed cookies and website privacy policies, clarify who gets to see and interact with the data, and how long the data will be kept.
In the digital marketing environment, this is extremely critical, where the desire to collect as much consumer data as possible will cause companies to err. One of the notable cases that put attention on personal data protection was the Cambridge Analytica-Facebook controversy. As such, companies have to carefully review the criteria in their online and offline ways to see whether or not the consumer’s requested information is important.
Companies are no longer entitled to call or email people without their explicit consent. The company would otherwise be subject to a PDPA fine. The compilation of National Registration Identity Card (NRIC) numbers and other National Identification Numbers is also being controlled at the moment, and organizations are not allowed to hold on to these cards physically unless it is deemed important.
Cybersecurity, No Privacy Without Security
The ability to maintain the collected data is inseparable from the competency to manage the data that an entity gathers. The PDPA controls not only how data is stored, but also who has access to the information, a procedure that often includes entities from third parties. Organizations in tightly regulated sectors such as financial services can see that many of the security requirements of various laws, such as ISO 27001 and PCI DSS, also coincide with the PDPA’s.
Then it makes sense for companies to educate their workforce with the appropriate PDPA course, and start adopting rigorous security practices early to advance both the authorities as well as cybercriminals, which together can cost entities a lot, as seen in the 2018 data breach of SingHealth and IHiS.
Closing Thoughts
Privacy laws such as the PDPA and the GDPR set a new standard against which companies should benchmark their activities. While it may not be instantly obvious how the company should adhere to best practices in terms of privacy, using the expertise of third-party privacy consultants can be a cost-effective solution to help you plan a regulation roadmap.