Firms have to be responsible for personal data under their possession: Tan Kiat How

We take a step of faith when we give our personal information to organisations; we trust that this personal data remains secure with them.

Here, it is the responsibility of organisations to be vigilant, and adopt proper cyber security and data protection measures to keep their customers data safe, said Senior Minister of State for Communications and Information Tan Kiat How in Parliament on Nov 9.

He added that the increased fines of up to 10 per cent of an organisation’s annual turnover under October 2022’s Amendments to Enforcement under the Personal Data Protection Act (PDPA) are a good step for protecting data.

But data shouldn’t leak in the first place, SMS Tan emphasised.

After the horses leave

Source: Unsplash, Helena Lopes

“Going after the organisation after the data breach is almost like catching a horse after the barn door’s opened and the horses are dashed out,” said SMS Tan.

“More important are ex ante practices which will prevent the data from being expropriated or even taken out of the organisation,” he added.

This philosophy of accountability guides the recent Amendments to Enforcement under the PDPA.

“Accountability is a fundamental principle of the PDPA. The organisation has to take responsibility for personal data under their possession or control,” emphasised SMS Tan.

“They have to be answerable. To not just the regulatory authorities, their business partners. But importantly, the individuals and the clients and customers whose data is being entrusted to be kept under control or possession of the organisation or business.”

So, should an organisation breach the PDPA, fines of up to 10 per cent of an organisation’s annual local turnover are now possible when this turnover is more than $10 million.

This is up from the previously fixed $1 million.  

Learn more at the PDPC website 

The Personal Data Protection Commission’s (PDPC) website is useful for businesses needing advice on how to comply with the amended PDPA, said the SMS.

“There are many resources and toolkits available on the website, including many different schemes to help businesses actually start on their journey or enhance their cybersecurity or personal data protection,” he detailed.

Indeed, notes, the website’s resources note the PDPC can accept a voluntary undertaking from organisations and people to take action (such as improving its cyber-defences or halting the use of personal data non-consensually collected) when the Commission finds it breaching the PDPA.

The PDPC also publishes its decisions regarding different data breaches investigations.

“This is not just to have a salutary impact on other businesses and organisations to take this seriously,” said SMS Tan.

“But also for other organisations and businesses to understand the good practices of where other organisations have come short. And to incorporate some of these practices into their operations and their business environment.”

“So in that, I encourage all businesses to take a look at what’s been published. on PDPC’s website around the breaches around the PDPC’s regulatory regime,” he said.

Cover photo credit: Unsplash, Glenn Carstens-Peters