Singapore was the first country to earn the title of “Smart Nation”. With Web 3.0 looming on the horizon, there is a lot that can be learned from the city-state. Along with Singapore’s impressively high GDP-to-trade ratio, consumer AI readiness score, and tech-progressive culture, this makes it an ideal destination for international digital companies to thrive in. However, if you do plan to operate digitally in Singapore, you must understand all of its user data-related regulations.
In the past, Singapore’s guidelines for data privacy were surprisingly lax. As the country became more integrative, the Singaporean government began to recognise the need to formalise and codify stricter restrictions. This came in the form of the Personal Data Protection Act (PDPA) which continues to evolve to this day. Nevertheless, what does this mean for your organisation’s plans to expand into the Singaporean digital market? How will it affect you? The following guide will answer these questions by examining data destruction procedures and digital law compliance in Singapore.
If you plan to operate digitally in Singapore, you must understand all of its user data-related regulations.
Understanding The Digital Economy of Singapore
J.P.Morgan’s 2020 Payments Trends Report revealed that the cross-border eCommerce market was worth nearly S$3 billion (in Singapore dollars). That is 35% of the total eCommerce market.
In 2021, the Singapore government decided that it was going to apply its goods and service tax (GST) to low-priced products (worth below S$400) that were purchased online and imported by air or land. Before then, Singapore’s GST rules afforded price advantages to the oversea seller. As such, foreign eCommerce sellers could trade items at a lower price than local sellers.
Of course, this resulted in goods sold by foreign sellers being far more popular than those of local ones. Nevertheless, overseas retailers and/or marketplaces will be required to register under Singapore’s GST come January 2023. Thus, if their low-cost goods exceed a specified threshold, they will be required to apply GST at a rate of 7%. Hopefully, this would help in leveling the playing field. This is only one example of how Singapore’s digital space is evolving.
Many have considered Singapore’s government to be forward-thinking. They have established plans to develop digital projects alongside private industry. They have heavily invested in digitisation. In 2021, they announced plans to work alongside private corporations in an effort to accelerate digital transformation in Singapore.
The government’s foremost priority was digital migration. In 2018, they had planned to move at least 70% of their least sensitive physical IT infrastructure over to the commercial cloud. In 2020, Singapore had already invested S$3.5bn in information and communication (ICT).
It seemed that this spending would only increase in the next three years. Nevertheless, Singapore was shown to be serious regarding digital transformation. However, this growth and change cannot be unfettered. Singapore must establish rules and regulations to protect its people. This is where Singapore’s Personal Data Protection Act comes into the conversation.
The Personal Data Protection Act of Singapore
The PDPA, first conceived in 2012, helps to govern how organisations and individuals collect, store and use personal data and to ensure that none of these data are misappropriated or misused.
Whether the organisation is fully digital or brick-and-mortar, it collects data from its customers. This includes personal data which is used to identify individuals. This information is often stored and used by organisations for various purposes and situations. People need protection that ensures that their data is not being misappropriated or misused.
The PDPA is a policy first conceived in 2012 to help govern how organisations and individuals collect, store and use personal data.
Common Sources of Personal Data
The PDPA is designed to protect Singapore’s citizens from fraud, defamation and cyberattacks.
Some of the most common pieces of personal data include:
-
Full name (Including all first names and surname(s))
-
The National Registration Identity Card (NRIC) Number
-
Birthdate
-
Gender
-
Race
-
Address
-
Picture of portrait
-
Blood group
Much of his information can be found in:
-
Identity cards
-
11-B ID
-
Passport
-
Driver’s License
How Does the PDPA Work?
Organisations are responsible for the careful storage and protection of data after they have collected it – this includes establishing the right cybersecurity policies and ensuring all staff are educated and well-informed in the latest data security practices.
The PDPA is designed to protect Singapore’s citizens from:
- Fraud
- Defamation
- Cyberattacks
A good example of a process enforced by the PDPA is the consent of data collection. Before organisations can collect your data, they must notify and/or ask for consent. Customers and users have a right to know why the information is collected. Organisations are responsible for the careful storage and protection of data after they have collected it.
This includes establishing the right cybersecurity policies and ensuring all staff are educated and well-informed in the latest data security practices. It also includes limiting the number of employees that have access to user personal data and ensuring that your organisation remains compliant.
It’s important to note that the PDPA may not apply to government ministries and public agencies during the course of duty. This includes:
- Housing and Development Board
- Land and Transport Authority
- Urban Redevelopment Authority
Nevertheless, public agencies should not abuse their authority for personal reasons. For instance, in 2015, a police officer was fined S$4000 for accessing a police computer system to spy on his mistress.
How Long Can Personal Data Be Retained in Singapore?
Personal data may only be retained as long as one or more of the purposes for which it was collected remains valid – after which the data must be securely destroyed and disposed of.
Singapore’s PDPA isn’t as strict as other regulations. It doesn’t dictate a specific length of time for personal data to be stored. However, it does state that personal data may only be retained as long as one or more of the purposes it was collected for remains valid. The data can be retained just in case it may be useful in the feature for another purpose that the data owner will soon be informed about.
The PDPA also states that data that is no longer required by an organisation should be securely destroyed and disposed of. Alternatively, the data can be anonymised so that it cannot be used to identify the individual it belongs to. However, many industry experts would advise against this as it is too risky.
Nevertheless, the general rule of thumb is to terminate data that is no longer useful within 12-days of its obsolescence. While the PDPA has yet to codify any specifics, your organisation must try to be as blameless as possible in case of a data breach.
Singapore’s Personal Data Protection Act (PDPA) 2021 Update
In 2021, Singapore’s government released an update that was most notable for its addition of a fine that could be levied up to 10% of your organisation’s revenue.
The first version of the PDPA was released in 2012. It was essentially just a collection of general guidelines and best practices. It wasn’t particularly precise in descriptions. Nevertheless, the PDPA evolved over the years to include dos and don’ts but with limited consequences for non-compliance.
In 2021, Singapore’s government released an update that was most notable for its addition of a fine that could be levied up to 10% of your organisation’s revenue. Previously, it may have been justifiable to deprioritise privacy compliance as Singapore’s PDPA was more forgiving than industry-specific regulations.
There may have also been an erroneous assumption that compliance with one regulation (such as the GDPR) was sufficient to provide compliance with all regulations. However, as punishment for non-compliance increases in severity, this is a risk not worth taking anymore.
Your organisation must also consider the cost impact outside of the fine. While smaller organisations may not attract as much revenue, they may still incur legal fees of up to S$50 000. Nevertheless, the larger the organisation, the larger the breach and thus the larger the potential resulting costs and fines. As such, bigger SMEs are not spared from the repercussions of negligence when it comes to data privacy. Being PDPA compliant is extremely important if you hope to operate in Singapore.
How to Be More PDPA Compliant
It’s extremely important to understand the exact amount your company may be fined after the occurrence of a breach. This figure will be related to how compliant your company tried to be before the breach.
Essentially, any steps you’ve taken towards compliance and your ability to prove them can greatly reduce the financial impact on your organisation. It’s recommended that organisations treat official guidelines as seriously as regulations. While they’re often offered as simple suggestions, they will still play a role in judging your overall compliance in the event of a breach.
Forming your policies and breach plans into simple documentation is not enough. You must be able to prove that these policies have been embedded in the culture of your organisation and that the relevant teams have thoroughly rehearsed your data breach plan. This can have a positive effect on your overall compliance assessment.
Following the best practices in IT and data security and timely reporting of a breach are critical elements in meeting compliance. It’s important to remember that breaches occur more frequently during weekends. Thus, your organisation should plan accordingly.
Again, your organisation should destroy any useless personal data. This includes backups. Your organisation should only keep data that it can and will use. The less data your organisation has and controls, the less data can be exposed during a breach.
Employing the right tools for data erasure and disposal is as important as having the right software and infrastructure for cybersecurity. Of course, your business should not be handling its requirements for privacy and data compliance on its own. It’s important to partner with the right vendor.
Employing the right tools for data erasure and disposal is as important as having the right software and infrastructure for cybersecurity.
In Summary
As eCommerce and digital adaptation evolves in Singapore, the government has cast more scrutiny on their personal data privacy laws. The PDPA has always been a general guidebook. However, in 2021 we began to see substantial amendments to the PDPA that would introduce fines. It’s more important to be data compliant than ever. Hence, it is recommended that you associate yourself with an IT asset management specialist that is familiar with regional data privacy regulations.
SPW is one such vendor. Operating through our international network of branches and partners, we’re an organisation well versed in the latest regulations from the GDPR to Singapore’s PDPA. Even as Singapore’s PDPA continues to evolve, SPW will remain up to date with the latest amendments while ensuring that obsolete data is completely and safely erased. Contact SPW today for more information on how we can help you become and remain PDPA compliant.
We Have Your Back
Our secure IT asset disposal services provides the dependable solution you need for your e-waste and end-of-life asset needs. Our team applies safe and sustainable steps that are regulatory-compliant at every stage of the process.
From the point of collection, auditing, shredding and/or wiping to remarketing and/or donating your IT assets, you can be sure with our end-to-end services that we take your security seriously.
SPW is Asia’s go-to solutions provider for data destruction, data erasure, IT asset remarketing, and environmentally-responsible IT asset disposals. Contact us and learn how you can incorporate an ITAD strategy into your business today.
