The Personal Data Protection Act (PDPA) was updated in February this year.
If you have not been keeping tabs on data protection matters, this piece of news might have just flown under your radar.
However, these amendments affect both consumers and businesses, so we’re here to highlight some of the major changes with the help of online shopping.
Picture this: Jane loves shopping online. She visits her favourite blog shop — Mod Trinkets — and purchases a cute necklace.
Previously, a similar transaction would have seen Jane checking multiple T&C boxes just to allow Mod Trinkets to share her personal data with partner companies involved in the transaction.
But now, Jane only needs to give her consent to Mod Trinkets once, when she makes the purchase.
Because the blog shop has to process the online payment and deliver Jane’s purchases to her, Mod Trinkets is able to share the data that Jane provides — such as her full name, mobile number, email address, and home address — with the logistics and payment partners to fulfil the transaction.
The PDPA allows for personal data to be passed from an organisation to successive layers of contractors for the organisation to fulfil the contract with its customer.
The organisation can only collect, use and disclose personal data where it is reasonably necessary to fulfil the contract with the individual.
Of course, for the purpose of direct marketing, Mod Trinkets will still have to ask Jane for consent separately, which she gives as she likes to be kept updated of their latest products and promotions.
Aside from stocking a variety of fashionable (and not to forget, affordable!) pieces, Mod Trinkets is Jane’s favourite blog shop because it uses a somewhat revolutionary tool that allows customers to try on new make-up and accessories virtually.
A customer only needs to upload their photo online to see how a shade of lipstick or a funky earring might look on them.
Jane is very thankful for this technological marvel which has saved her countless times from wasting money on lipsticks that aren’t in flattering shades.
One day, Mod Trinkets sends her an email informing her that the blog shop will be sending her personalised emails, and displaying their new products using her face, obtained from the photo she had uploaded. This would allow her to immediately see just how the new products would look on her.
The blog shop specifies that all of its account holders will be automatically opted in. If customers don’t want to have their photo used for this purpose, they can choose to opt out within one month. Alternatively, they can withdraw consent for the use any time thereafter.
Jane loves this new personalisation service and decides to stay opted in.
Deemed consent applies here when you are informed that your personal data will be used for a particular purpose, gives you the option to opt out and you did not take any action to do so.
Under the updated PDPA, organisations can notify existing customers that their data will be used for a different purpose and allow them to opt out.
Before doing so, the organisation must conduct a risk assessment and conclude that the collection, use or disclosure of personal data in this manner will not likely have an adverse effect on the individual.
Unfortunately for Mod Trinkets, things don’t go too well for the company down the road.
Several months later, Jane receives an email from the blog shop notifying her that the business had suffered a serious data breach. Names, contact information and accounts of its customers, including Jane, were accessed.
The email lays out the details of the incident, including when Mod Trinkets discovered the breach, as well as the steps taken to fortify its database and proceed with service recovery.
It is signed off by Mod Trinkets’ Data Protection Officer, who informs Jane that she will have to reset her password the next time she logs on to her Mod Trinkets account and urges her to also change the passwords of her other accounts if they are similar. She does so immediately.
In the event of a data breach, companies must assess if it is serious enough to notify the Personal Data Protection Commission (PDPC) as well as affected individuals.
If the company assesses that it is a serious breach — one that is likely to result in significant harm or impact — it must notify the PDPC within three calendar days. It must also notify all affected individuals.
If the breach involves the personal data of 500 or more customers, the company must also inform the PDPC.
Individuals are encouraged to follow the instructions provided and take action immediately to protect their personal data from being further compromised.
The Covid-19 pandemic has forced businesses to accelerate their digital transformation, and along with it, collect and use more data from consumers. It is now the norm for businesses to collect, and for consumers to provide, data as we go about our daily lives. Therefore, data protection has become all the more important in this digital society.
To encourage everyone to make data protection a priority, the PDPC is marking the fourth week of May 2021 (May 24 to May 30) as Privacy Awareness Week in Singapore.
For more information on the updated PDPA, you can head over here.