By Kami Navarro
According to the World Economic Forum, the entire digital universe reached 44 zettabytes in 2020—about 40 times more bytes than stars in the observable universe. Given the deluge of data, it is crucial to ensure data privacy and security for key pieces of personal information, from credit card details to mobile device IDs, are shared, collected and used in a safe and responsible manner.
In Singapore, the Personal Data Protection Commission (PDPC) was established to administer and enforce the Personal Data Protection Act (PDPA), which was first introduced in 2012. The PDPC aims to build an environment of trust in the Republic’s digital ecosystem by balancing organisations’ need to use data with individuals’ need to safeguard their personal information.
Helping drive our city-state’s data protection initiatives is Mr Yeong Zee Kin, PDPC Deputy Commissioner and concurrently Assistant Chief Executive (Data Innovation and Protection Group) at the Infocomm Media Development Authority (IMDA). In this feature, find out more about Singapore’s data protection landscape and how both businesses and individuals can take steps to secure data in a digitalised world.
1. Can you tell us about your role as Deputy Commissioner of the PDPC?
Zee Kin: As Deputy Commissioner, I support the Commissioner in the discharge of PDPC’s roles as both an enabler of data use and enforcer of data protection standards. Some of my key responsibilities include formulating and implementing personal data protection-related policies as well as ensuring that they support national initiatives and keep pace with international developments. Our policies are updated through a variety of instruments, like advisory guidelines, practical guidance and legislative amendments. In developing these policies, we strive to align our regulations with international standards. This helps reduce compliance overheads for domestic businesses that operate in multiple jurisdictions and facilitates their expansion into global markets.
At PDPC, our overarching goal is to ensure organisations develop sufficient in-house capabilities to manage personal data. To anchor this, we continually build up the skills and competencies of our community of Data Protection Officers (DPOs). With properly trained DPOs, organisations can better embark on their data protection efforts. We also provide tools for organisations that enable them to use data as well as protect data. Our Better Data Driven Business (BDDB) programme’s set of tools enable businesses to use data to achieve common business objectives such as growing product sales, acquiring new customers and more, while embedding good data protection practices.
Additionally, we provide a comprehensive set of guides and templates through our website that DPOs can make use of. Organisations that require help can also tap on our Data Protection-As-A-Service (DPaaS).
The PDPC investigates a steady volume of complaints fairly and objectively, ensuring that appropriate directions or financial penalties are made for each case. We also develop enforcement options and options like undertakings and expedited processes for organisations to focus on taking corrective actions in the event of a breach.
2. Can you tell us more about Singapore’s data protection landscape?
Zee Kin: The PDPA was introduced as a baseline standard for personal data protection. We have since shifted from a compliance-based approach towards an accountability-based approach.
To entrench this principle of accountability, amendments were made to the PDPA to mandate accountable practices like risk assessments and data breach notifications. There were four broad themes—building organisational accountability, strengthening enforcement, improving consumer autonomy and enabling data use for business growth as well as innovation. In that vein, we also recognise legitimate uses of personal data and expanded the options for obtaining consent to enable businesses to process personal data.
As a regulator, it is important that we front this pivot from compliance to accountability by first providing tools and policy guidance before encouraging industry adoption of these resources. For instance, the PDPC promotes resources for data protection management and recognises organisations with accountable practices through certifications like the Data Protection Trustmark (DPTM).
Additionally, we are keen to make things easier for businesses engaged, or those that wish to engage, in cross-border trade. To this end, we have set up internationally-recognised and harmonised mechanisms to better facilitate data flow across borders. Singapore pioneered Digital Economy Agreements (DEAs) that align common digital standards and systems and actively contributed to the development of the ASEAN Model Contractual Clauses (MCCs) which established a baseline standard for data protection in ASEAN through contractual means.
We also recognised certifications like the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems as valid data transfer mechanisms which help organisations transfer personal data to certified recipients in select APEC countries like the US or Japan.
3. What is the PDPC’s approach to data protection?
"In Singapore, we take a holistic approach to data protection. Everyone has a part to play."
As a regulator, we must create the right regulatory environment to encourage accountable data use without stifling innovation. Organisations can and should use personal data for legitimate purposes, but they should also put in place good internal governance processes as responsible custodians of consumers’ personal data. We maintain trust between consumers and organisations by taking appropriate enforcement actions against organisations who breach the PDPA. This helps balance the scales between protecting personal data and enabling data use for businesses to innovate.
We recognise that different types of businesses have different levels of sophistication in their collection and use of personal data. For smaller businesses that handle smaller volumes of employee and customer data, our approach is to provide templates and tools to help them achieve common business objectives. These resources help embed best practices for small business owners to use data to achieve legitimate business objectives. As businesses grow, they have to be accountable and take ownership of their data governance.
An accountability-based approach also means that larger organisations must take responsibility for the personal data under their possession or control. They will have to start putting in place customised policies, processes and practices that are adapted to their situation. For such companies, we continue to provide guidance documents and templates as needed.
As a good practice, organisations should promote an accountability-driven corporate culture by establishing a structure for governance and risks assessment, developing policies and practices for personal data and establishing processes to operationalise them. Adopting certifications like the Data Protection Trustmark (DPTM) allows organisations to validate their data protection standards and assure their stakeholders that they have robust policies and practices to safeguard personal data.
Meanwhile, individuals should be equipped with basic data protection knowledge and tools to assess the trustworthiness of agents or platforms that ask for their personal data.
4. How has Singapore’s data protection landscape evolved in recent years?
Zee Kin: Accelerated digitalisation brought about by COVID-19 has seen an exponential increase in data generation and data flows. While the accumulation of personal data by businesses has its risks, we should not shy away from leveraging data. Instead, we strive to help businesses maximise the benefits of data while minimising the risks for consumers.
"Contrary to common belief, data protection and data innovation are not mutually exclusive and can be compared to the twin engines of a plane—both must work equally well for the plane to take off."
Effective and trusted data use will serve to help businesses remain competitive in the digital economy and the use of data for innovation can happen at all levels and for different sizes of companies.
At the PDPC, we strive to listen to the industry’s needs, encourage innovation and provide greater clarity on how to use data responsibly. We introduced regulatory sandboxes that allowed for the co-development of policies and regulations to encourage innovative data use. These turned out to be quite well-received, particularly during pre-pandemic times. Apart from recognising the internal use of data for business improvement, legitimate interests, or research purposes, we also facilitate data sharing between organisations through tools like the Trusted Data Sharing Framework (TDSF), which provides a common ‘data-sharing’ language and incorporates contractual templates to help organisations share data in a trustworthy manner.
We also recently launched the BDDB programme, designed to help SMEs use data safely when generating insights to help them achieve their business objectives, while operationally integrating best data protection practices. The BDDB business intelligence tool provided can help SMEs gain better insights into what sells, when and to whom. This can help them design more attractive offerings for their customers.
5. Do you have any advice for business owners as they seek to improve their data protection and innovation practices?
Zee Kin: Business owners who recognise the value in data should consider doing three things.
First, invest in the quality of their data. The quality of insights and subsequent business decisions depend on good quality data. There is a need to continually invest in maintaining the quality of data. While doing so, organisations should consistently reference resources, adhere to best industry practices and adopt tools to ensure their data is managed responsibly.
Next, develop in-house skillsets and capabilities. Ensuring that both management and staff possess the appropriate skills for working with data is crucial for unlocking the value in data. Fundamental to this is upskilling and assisting DPOs to help the organisation reach the right level of data maturity. Equally important is that all levels of management should learn to appreciate the importance of data, acquire skills appropriate to their level to use and gain insights from data as well as develop a natural instinct to protect and manage their data responsibly.
Lastly, organisational leadership must also take data protection seriously to set the right tone within corporate policies. This should include establishing a data governance structure, nurturing an organisational culture that practices accountability and demonstrating good data protection standards through the adoption of certifications.
With these, the instinct to invest in and protect data will come naturally. Along with the right insights, businesses can then innovate with confidence and thrive in the digital economy amidst new technology, business models and global developments.
The PDPC aims to balance the protection of individuals’ personal data with organisations’ need to use the data for legitimate purposes. To learn more about Singapore’s personal data protection regime, visit the PDPC website.