While the collection, use and disclosure of data is regulated by the Personal Data Protection Act, businesses should take an accountability-based approach in this area rather than merely complying with regulations

SINGAPORE (May 13): The Personal Data Protection Commission has always preferred to have conversations with businesses rather than take strict enforcement measures. This approach is to ensure that there is a fundamental shift in the general treatment of personal data, says Yeong Zee Kin, deputy commissioner of the PDPC.

“We don’t want to shock the system. The approach we took was very graduated. If you look back, even though the [Personal Data Protection Act or PDPA] took effect in 2014, it was passed much earlier in 2012. There was an 18-month ‘sunrise period’,” says Yeong in an interview with The Edge Singapore.

PDPC adopted a lighter enforcement approach initially as businesses came to grips with the requirements of the PDPA. Now that PDPA compliance among companies is in full swing, the commission hopes to change companies’ mindsets from ticking checkboxes to being accountable for the data they handle.

“The idea is very simple: If you have a checkbox compliance approach, you basically just take the regulations, translate them into a list of items to do, and check them off. Once that’s done, you think the job is done. But that doesn’t really address the fundamental cultural issue and changes in mindset that we are after,” says Yeong.

“Accountability, put simply, is encouraging businesses to understand the purpose of the rules and translate them into a set of measures that you can put in place, that are customised for your organisation. Next, you have to make sure that these measures are practised within your organisation. In this way, when something bad happens, you are able to provide an account of what you have done. That is fundamentally what accountability is about,” he adds.

Beyond enforcement and fines

Even with best practices in place, mistakes can happen. The accountability-based approach allows companies to demonstrate the steps they have taken to PDPC. The authorities have highlighted cases where companies with good and sufficient practices have been treated with leniency.

“The kind of approach we want to bring towards the practice of data protection is not focused on enforcement and fines, but really going deeper and getting the cultural change, and getting data protection embedded into the ethos and values of the companies,” says Yeong.

So what can businesses do to foster this accountability? One way is to apply for the Data Protection Trustmark (DPTM), which is a third-party certification to verify that they are accountable for the data they are handling. “The Data Protection Trustmark is a visible embodiment of accountability in practice,” says Yeong.

Businesses that obtain the DPTM would already have practices in place to fulfil the regulatory obligations of the PDPA, and that in fact go beyond mere compliance.

Yeong says the DPTM brings several key benefits. For one, it involves an independent external review of the organisation’s practices. A third-party audit can point out deficiencies or possible gaps in current policies, as well as recommend measures for improvement. The organisation would also enjoy greater trust from customers and stakeholders, as DPTM verifies that it is handling its data with appropriate care.

As the certification has to be updated every three years, customers can rest assured that the company’s practices, documentation and training remain effective. “This is accountability in practice,” Yeong points out.

Other benefits include greater trust between an organisation and its customers and other stakeholders, as well as improvements in the organisation’s policies and processes.

DPTM certification is gaining traction. So far, 10 organisations have been certified, 30 are in the process of being certified and 70 more have registered interest in getting certified. The certified organisations include local bank DBS Bank, data handling company Mamoru and the Tan Tock Seng Hospital Community Fund.

“This is something we piloted only in July last year. There is a healthy interest among companies and we are conscious of targeting companies with reach — not just more companies, but those that reach a larger segment of consumers,” says Yeong.

Data protection, data innovation

While the majority of businesses still view data as customer contact lists for marketing purposes, the increasing emphasis on digitalisation is pushing companies to collect more personal data. As such, regulations and processes around data protection should not be about clamping down on the use of data, but rather how to protect data while allowing it to be used innovatively and to flourish.

“[In some companies], a number of data protection officers are looking at not just data protection, but also data innovation. It means knowing what data you have of your customers — not just what you collected from them through forms, but what you are also able to collect through their use of your services, such as activity-generated data,” says Yeong.

“It is this category that provides customers’ actual preferences and behaviour through their actions, rather than what they declare. A lot of organisations are making use of such activity data to improve their services, enhance their products and know their customers better. When you go down this path, you are moving into data innovation, and when you do that, data protection takes on greater significance,” he adds.

So, how can businesses use data in a way that allows innovation, while respecting the customer? Issues such as purpose limitation, secondary-use concepts and even ethics come into play.

“It is finding the right mix of innovation and respect for the customer. We want to see it as a virtuous cycle, by providing businesses the clarity to confidently make use of data to improve products and services. In turn, customers use the products and services more if they find the services useful and their experience is good,” says Yeong.

“So this is where accountability comes in again. If we do checkbox compliance, a lot of things will be permissible by very broad consent clauses. But if you take an accountability-based approach, you’ll ask yourself: Yes, the technology allows me to do this, the legal compliance allows me to do it, but should I do it? Will my customer appreciate it? That’s the difference,” he explains.

At the end of the day, regulators want to encourage businesses to adopt a proactive customer-centric attitude, and prioritise their relationship with their customers.

“The way we are approaching it through accountability has benefits. We are better able to calibrate for real-world practicalities, to take into account that mistakes can and do sometimes happen, as well as help organisations find ways to be innovative while being respectful of their customers,” says Yeong.

Organisations who want to take the next step in their data protection journey and build trust with customers can go to http://www.imda.gov.sg/dptm for more information or register interest to become DPTM certified