The customer engagement frontline is also the data protection frontline.
When the Personal Data Protection Act (PDPA) first came into force in 2014, telecommunications services provider M1 decided that its personal data protection efforts would be driven by the customer service department. This was due to the department’s responsibility of handling the bulk of personal data necessary for customer interactions and service delivery purposes.
“We decided the Data Protection Officer (DPO) should come from an operations department, and narrowed that down further to customer service. This is by virtue of the volume of personal data that crosses their hands. We were also conscious that it is not good enough to have just policies and procedures in place – we have to make sure we do what we say we will be doing,” said M1’s Director of Customer Experience & Retail, Mr Stamford Low.
This tenet was reinforced when the organisation decided to apply for certification under the Data Protection Trustmark (DPTM) scheme. The assessment process helped to enhance awareness and good practices of data protection amongst its customer service staff.
M1 provides mobile and fixed line services to over two million customers in Singapore. In the course of delivering these services, it collects personal data such as the customer’s full name, NRIC number, address and contact information for purposes of identification and verification. It also collects usage data such as IP addresses and location. “Protecting this data is vital,” said Mr Low.
When the organisation embarked on strengthening its personal data protection efforts in 2014, it established a committee to tighten policies and processes surrounding personal data protection and introduce ways to heighten awareness amongst its staff.
Led by the customer service department, the committee comprised personnel from human resource, engineering, IT, procurement, marketing and other departments across the organisation. This was in recognition of the fact that data protection is a collective effort.
Besides fine-tuning policies and processes, one of the new initiatives implemented was a mandatory e-learning module on protecting personal data that all personnel had to undergo, including the Chief Executive Officer. Such measures placed M1 in good stead when it came to DPTM certification, since they ensured that everyone in the organisation understood his or her role in personal data protection.
Covering the ‘how’
The DPTM was officially launched by the Infocomm Media Development Authority (IMDA) in January 2019, and M1 felt that it would be a good proof point for its efforts in personal data protection. “We saw it as a natural extension of what we were already doing.”
To prepare for DPTM, M1 rolled out several initiatives internally, including engaging an external consultant to help identify areas for improvement. This was an organisation-wide effort involving more than 10 departments and over a third of M1’s 1,500 staff.
There was quite a lot of work to be done. Whilst the company already had policies and processes in place for compliance with the PDPA, DPTM requirements delved much deeper. “PDPA does not really prescribe ‘how’ something is to be done. But for the purpose of DPTM documentation, we needed to cover the ‘how’ in greater detail,” said Mr Low.
For example, under PDPA’s Access and Correction Obligation, customers may request for access to their personal data. While the earlier version of M1’s policy had made provisions for such requests, it did not state how quickly this access would be granted. In preparing for DPTM certification, M1 amended the relevant forms and procedures to ensure that the information was stated upfront in the service level agreement for the processing of an access request.
Looking back, Mr Low felt it was a good decision to engage an external consultant in its certification effort. “Having a third party look at what you say you are doing really helped because he was completely unbiased, and was therefore able to look at things through an objective lens."
Another important lesson gained through the pre-DPTM exercise was a better understanding of data protection by design and the advantage of introducing data protection impact assessment early in a product development lifecycle.
“Now, when we come up with new ideas, we start to think about issues relating to consent from customers for the collection and use of their personal data, and address them much earlier in the process.”
When the organisation finally applied for certification, the assessment went smoothly with improvements required only in a few areas. In August 2019, M1 became the first telecommunications services provider in Singapore to attain the certification.
Internally, the DPTM has further strengthened the culture of personal data protection across the organisation. The fact that M1 stepped up for the voluntary assessment made its staff realise the seriousness it placed on responsible and accountable handling of personal data.
Even after attaining certification, M1 continues to review and introduce new data protection initiatives. For example, staff training was enhanced to include specific operational scenarios where they would need to handle personal data. It also implemented regular Clean Desk Audits to inculcate good habits and ensure that no personal data is inadvertently left exposed on someone’s desk.
For M1, certification affirms that it is moving in the right direction in terms of personal data protection. “We see value in being the first telco in Singapore to be able to say that a third party has validated that we have got good practices in handling personal data,” said Mr Low.
From the business aspect, the certification has helped M1 when it comes to bidding for telco contracts from corporate customers. “When bidding, there is always a section on personal data protection. In the past, we had to spend a fair amount of time and effort to answer related questions. What we do now is simply state that we are DPTM-certified, which is much more impactful, saving both time and effort in contract discussions on data protection matters,” said Mr Low.
For consumers, personal data protection is something that resonates with them today. “We see customers taking a greater interest in what is happening to their personal data, so the DPTM comes at the right time,” said Mr Low.
For more information, visit the Data Protection Trustmark webpage.