Is your business at
risk of violating PDPA
Is your business at
risk of violating PDPA
Ensure your company doesn’t mishandle users’ personal data.
In today’s digital marketing era, your business can easily collect customer data to ensure more effective marketing outreach.
This is a powerful tool for ensuring marketing effectiveness and customer loyalty. However, your business needs to be careful about how you handle your customer data, as your business might unknowingly flout laws under the Personal Data Protection Act (PDPA).
What is the PDPA?
The PDPA governs the collection, use and disclosure of personal data by organisations. Its main objective is to balance the commercial need of organisations to use individuals’ personal data legitimately with the right of individuals to protect their personal data.
If found not complying with any of the Data Protection Provisions, the company could be fined up to $1 million.
To avoid such situations, here’s a quick guide to help your business comply with the PDPA:
What can your business do to ensure compliance?
There are a few key areas where your marketing efforts might potentially breach PDPA’s domain.
Customer data collection & handling.
In 2017, JP Pepperdine was fined $10,000 after it failed to secure its customers’ personal information such as name, gender, NRIC and address on its IT systems. Anyone could access the information with just a search on their membership portal.
If your business has a membership program, ensure that the data you collect from your members are kept private. If you’re storing the database on your website, your website should be adequately protected with cyber threat solutions to prevent unauthorised access.
Propnex Realty was also fined $10,000 for disseminating the personal data of 1,765 individuals. Investigation showed that the list was internally disseminated as a PDF in their own company’s virtual system, which was only available to agents and staff. However, there was no password security for the PDF itself.
If your company is disseminating sensitive information containing your customer’s data, always ensure your PDF files are password protected and can only be downloaded with authenticated logins.
When collecting customer data during events and campaigns, always ensure that your recipients have given their express consent. When they are submitting their details, provide a consent box for them to check for agreeing to their data utilised, like this example here:
“By signing up, you agree that <organisation name> may collect, use and disclose your personal data, which you have provided in this form, for providing marketing materials that you have agreed to receive, in accordance with the Personal Data Protection Act 2012 and our data protection policy (available at our website <webpage URL>).”
When sending marketing newsletters to your customers, you must also include an unsubscribe option. Once they do, you must remove records of their data if there are no legal or business reasons to justify keeping them.
SMS & cold calling
The Do Not Call (DNC) provisions under PDPA generally prohibits organisations from sending certain marketing messages (in the form of voice calls, text or fax messages) to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry.
There is an exemption – your organisation may send a text or fax message (but not voice call) on related products, services and memberships to individuals with whom you have an ongoing relationship (a series of one-off transactions does not constitute an ongoing relationship), without checking the DNC Registry.
When making voice calls, the calling identity and phone number must not be concealed. Similar to emails or newsletters, you need to provide individuals with the option to opt out of such messages, using the same medium by which the message is sent. If an opt-out request is made, you can no longer rely on the exemption and must stop sending such messages to that individual's phone number within 30 days of the opt-out.
The DNC Registry, however, does not cover messages sent for other purposes, such as service calls or reminder messages sent by organisations to render services bought by the individual.
Outside of the DNC, you can still legally send marketing messages to recipients who did not give prior consent. They will, however, be considered as spam; and have to be labelled with “<ADV>” before the email subject or SMS text to identify them as advertisements. Also, you’d need to clearly identify your organisation and provide contact details for the recipient to reach out for clarifications.
If you’re uncertain if your organisation meets all the obligations, don’t worry – you can seek counsel at a SME Centre for free or participate in the PDPA Legal Advice Scheme, under which an appointed lawyer will provide assessment and advice for a fixed fee of $5001.
With these tips and knowledge, your business will be able to market to your consumers, while safeguarding the interests of both your customers and your business, This will go a long way in protecting your company’s reputation and gain you more customers in the long run.
Guide to going global: Preparing your SME for overseas
Preparing your SME for overseas expansion.
What digital transformation leaders do that laggards don't
This article lists what digital transformation leaders are doing that laggards are not.