In our previous post, we shared how individuals can take responsibility in ensuring their personal data stays protected. Now that many individuals are educated, they are more aware of how to make informed choices when choosing an organisation to safe keep their personal data. How then, as a business that collects personal data for processing, assure your customers that their personal data are in safe hands?
First and foremost, your customers will only trust you if you practice what you preach. Here are some rules-of-thumb you should adhere to:
#1 obtain consent
Firstly, you have to obtain either verbal, written, or even deemed consent for any personal data to be collected.
What constitutes as consent would include: Voluntary provision or cases where it is reasonable to voluntarily provide the data. Your customers also have a right to withdraw your consent at any time. One example would be the Do Not Call (DNC) registry where individuals can opt out of receiving unsolicited marketing messages and calls. Should your business be involved in telemarketing, you should ensure that numbers subscribed to the Do Not Call (DNC) Registry should not be contacted for marketing purposes. Each offence would incur a fine of up to $10,000 or face imprisonment. B2B marketing calls or messages sent to other organisations do not fall under the purview of the DNC Registry.
How do businesses check what numbers are registered on the DNC registry?
- Create an account at a one-time fee of $30 ($60 for overseas companies) to gain access to the DNC system
- You can enter up to 10 phone numbers manually at one time. Results of the search are displayed immediately
- To check >10 numbers at one time by uploading a CSV file containing a list of all 8-digit Singapore telephone numbers. The results will be available for download after 24 hours
- All results are valid for 30 days.
#2 Inform your purpose
Once you have obtained consent, the personal data collected can only be processed in an appropriate manner and for a reasonable purpose. You must ensure that your customers are informed of the purpose for which the personal data is being collected.
Every time you need to collect personal data from individuals, be it online or offline, try to have its purpose written down clearly (See image below).
#3 allow access
Individuals have the right to request we provide access to and make corrections to their personal data. There are some exceptions, such as cases in which providing access would cause immediate harm to the safety, or physical or mental heath, of the individual; threaten the safety, or physical or mental health, of another individual; or reveal another individual’s personal data.
#4 update data regularly
We must make a reasonable effort to ensure that all personal data collected is accurate and complete. Allow your customers to correct their data and prompt them update regularly. It is likely that the personal data will be used to make a decision that affects the individual to whom it relates, or is likely to be disclosed to another organisation.
#5 protection of data
You must protect personal data in your possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar activity. If your business wants to store personal data in the cloud, you should take appropriate steps to ensure that the transfer of data to the cloud complies with the PDPA’s data protection laws.
Most of the privacy breaches occur because of human error. Simply leaving your laptop unattended or forgetting to shred personal information before disposal could lead to personal data leaks. Ensure that your employees are aware and trained of how to collect, process, store and dispose of personal data to minimise such mistakes.
Delegate the task, not the responsibility.
If you engage 3rd parties and need to pass on your customer’s personal data to these vendors, it is your due diligence to do extensive research to see if the company is reliable. Read the security and privacy policies of the companies that you are giving your customers’ data to. You are still partially liable if there is any privacy breach on the 3rd party side.
#6 purge what you don’t need
You must cease retaining documents containing personal data, or anonymise that data, as soon as it is no longer needed for the purpose for which it was collected, or for other legal or business purposes. If your customers request for their data to be deleted, you should comply. If your business maintains physical or electronic records of personal data, these records have to be disposed appropriately, as stipulated in the PDPA.
#7 keep within bounds
You should not transfer personal data outside Singapore except in accordance with the Act’s requirements. If you must transfer it to another region, be certain that you have obtained consent from your customers prior to the transfer and ensure that the external company has a comparable standard of data protection.
#8 be transparent
At EventNook, we deal with a lot of personal data, so we practice extra caution in data handling and take pride in our commitment to protect all our customers’ personal data while delivering the results. If you have any questions on our data protection policies for your events, feel free to drop us an email or a call, our friendly team will be more than happy to assist you!