What does PDPA stand for? The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. It comprises various requirements governing the collection, use, disclosure, and care of personal data in Singapore.
What constitutes as Personal data? Personal data refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
PDPA has been in Singapore since 2012. But in Feb 2021, it has recently been enhanced to empower businesses to use data for innovation with safeguards in place to continue protecting customers’ personal data. The enhanced PDPA has put in place a new exceptions and consent requirements to Research, Business Improvement, Legitimate Interest.
|RESEARCH||BUSINESS IMPROVEMENT||LEGITIMATE INTEREST|
|Example: Early stage / exploratory R&D||Example: Improve or develop products and services, analyse preferences, or personalised services||Example: Prevention and detection of fraud, misuse of services, ensuring security at premises|
|Q. Is it impracticable to seek consent from individuals?|
Q. Is there a clear public benefit for the research?
Q. Will you ensure that the results will not be used to make decisions that may negatively affect any individual?
|Q. Do you need to use data in identifiable form?|
Q. Are the companies bound by contract or agreements to safeguard the data?
Q. Are the individuals your prospective or existing customers?
|Q. Have you conducted an assessment of the risks to individuals?|
Q. Does the legitimate interest outweigh the risk to individuals?
Q. Will you provide information on the purpose that you are using the data for?
If you answered “NO” to the questions above, then the enhanced PDPA does not apply to your business and the collection of your customers’ personal data. In that case, you will require them to Opt-in Consent. Opting-in means that a user will take an affirmative action to offer their consent.
So what is an optimum way for your website to be PDPA-compliant when collecting personal data? Here are 5 things you need to follow as best practice.
#1 – SSL Certification
What is SSL? Implemented correctly on your website, your website will load in https:// instead of http:// and will also have a lock at the left side of your website address on browsers. SSL certificates helps to establish an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private. So when a visitor submits a contact form or checkout their cart on your website, anyone intercepting the information will get encrypted data that is of no use to them. SBWD offers a website maintenance package that ensures SSL and other security features for your website is working.
#2 – Request for Consent
There must be an action by the visitor to consent providing their data to you when submitting a form with their personal data. SBWD will achieve that by adding a required checkbox field, with a link to your PDPA policy to ensure that the visitor is clear on what they are giving consent to when submitting their personal data on your website.
#3 – Allow Cookies Option
HTTP cookies are used to identify specific users and improve their web browsing experience. Data stored in a cookie is created by the server upon your connection. This data is labelled with an ID unique to you and your computer. Most websites install analytical software such as Google Analytics and Facebook Pixel. When we embed such codes for our client websites, we will include a cookie disclaimer for the visitor to accept and know what the website is tracking.
#4 – Setup Contact Forms that send data to a secure database
There are many methods data is stored when a contact form is submitted on a website. The information can be sent to a recipient email, it can also be stored on the website backend system like WordPress. Both might have issues of being compromised because it is common for emails and websites to be hacked. SBWD assists clients to setup secure 3rd party apps for storing form submissions. This ensures that the data does not reside on just any email inbox or a website backend system.
#5 – Singular location of updating of contact status
PDPA stipulates that visitors’ can request to know the information that you have of them, get their information updated or removed from your database. SBWD suggests storing all personal data collected on the website on a secure centralised system. Having one location to update the status of the contact or delete it ensures a high level of PDPA-compliance in the event that your company PDPA practices are being called to question.
SBWD recognises that SMEs in Singapore need to improve on the way their websites collect personal data to keep up with PDPA requirements and avoid hefty fines. We can provide consultancy and create a PDPA contact management system that:
- Create forms on system to embed on website
- Forms to have proper opt-in / opt-out
- Form data to be captured on a secure database that company can access
- Database has redundancy setup to prevent contact data loss
- Centralise touch point for staff in your company to check and use opt-in contacts
- Public has the ability to check what information they have on your database
- Public has the ability to request for updating of their information or changing of their status
Contact us to find out more about how your website can improve in PDPA-compliance.