Managing Personal Data - A Guide For Startups

Author: Daniel, Co-Founder of LawCanvas

By LawCanvas
 
The recent implementation of the Personal Data Protection Act in Singapore has been a hot topic amongst the business community. As a leading figure in your own company, you already have a million things to worry about. It's tempting to ignore this new piece of legislation and continue as before. But things have definitely changed, and its time to take stock of what you need to know.

Here are some key highlights on the data protection provisions of the PDPA:
 
What is the PDPA?
 
The Personal Data Protection Act (PDPA) aims to protect individuals' data from misuse by putting in safeguards to regulate the proper management of that data in both electronic and non-electronic form. Individuals have the right to be informed of the purposes for which organizations are collecting, using or disclosing their personal data, hence giving them more control over how their personal data is used.
 
What's considered personal data?
 
Personal data is data that can be used to personally identify an individual. This includes NRIC numbers, passport numbers, phone numbers, full names, email addresses, or even physical addresses. The PDPA protects all of this data, regardless of whether it is true or not.
 
However, information given in a business setting (e.g. business contact information such as a person's name, position, business email, phone numbers, office addresses) is generally excluded from the data protection requirements of the PDPA.
 
How does it work?
 
As part of your company's operations, it is likely that you collect many kinds of personal data from your users and/or customers. However, it is important that these individuals that you collect personal data from have been informed of its purpose, and that they have consented to the collection.
 
In determining whether consent has been obtained, there are three factors to consider. Firstly, the individual has to voluntarily provide the data being collected. Secondly, the organization has to use the data for the purpose for which the individual volunteered this data. Lastly, it has to be reasonable that the individual concerned would volunteer this information.
 
It is highly recommended that your company records consent from your users/customers in writing, or in a way that is easily accessible for future reference.
 
How can you get started on complying with the PDPA?
 
(1) Appoint a person in charge of overseeing compliance with the PDPA and make his or her contact information publicly available.
 
The PDPA requires all organizations to each appoint a Data Protection Officer (DPO) and to make their contact details easily accessible to the public. This is to ensure that individuals know who to approach if they have questions about their personal data.

(2) Map out your existing personal data inventory.
 
Mapping out your existing data inventory makes it easier to manage it well. Some questions to consider include:

• What personal data have you collected?
• How and where did you collect this data?
• Was consent obtained?
• What are the purposes and uses of the data that has been collected?
• To whom has this personal data been transferred?
• Where and how is the data kept and secured?
• How long does this data have to be retained within your organization?

 
(3) Implement data protection processes
 
When you have mapped out your inventory, a review of the data protection practices within your organization should be conducted to ensure that they are compliant with the PDPA. These are some example guidelines:  
 
Collection, use and disclosure:

• Define what kind of data is currently collected and will be collected by your organisation and set out how you may obtain this data and record consent to its collection
• Make your personal data protection policies and contact information of your DPO available to the public
• Allow individuals to withdraw consent at any time upon giving reasonable notice and ensure that they understand the consequences of their withdrawal 

Care for Personal Data:

• Classify personal data in your databases to facilitate housekeeping
• Set clear timelines for the retention of personal data and remove personal data that is no longer required for business or legal purposes
• For the transfer of personal data overseas, provide a comparable standard of protection by including data protection provisions in contracts with counterparties 

Access & Correction:

• Make available information on how users/customers may request to access or correct their personal data with your organization
• Establish clear practices for assessing and processing access and correction requests

 
What happens if you don't comply with the PDPA?
 
If your company is found to be breaching the data protection provisions of the PDPA, there could be disruptive effects on your business. The Personal Data Protection Commission (PDPC) may require you to:

• Stop collecting, using or disclosing personal data in contravention of the Act
• Destroy personal data collected in contravention of the Act
• Provide access to or correct the personal data; and/or
• Pay a financial penalty of an amount not exceeding $1 million.

Over and above these penalties, breaching data protection provisions results in unhappy customers! The consequences of negative word-of-mouth might be even greater than the sanctions imposed by the PDPC. 

Now that you have the basics covered, managing personal data shouldn't be that intimidating. If you're keen to know more, you can visit the official site of the PDPC where you'll find extensive information on the topic. 

The LawCanvas app provides legal document templates for businesses, and allows you to easily customize the clauses for your company's use. We're helping businesses to save time on legal stuff so that they can get back to building products and delighting customers. 

Visit us at our site, as well as our Facebook, Twitter, and Linkedin pages.