SMEs to get two guides on personal data security

SINGAPORE — With small and medium-sized enterprises (SMEs) increasingly coming under threat from cyber attacks and not having the resources to deal with them, the Personal Data Protection Commission (PDPC) has joined hands with the Cyber Security Agency to launch two guides on how to manage data breaches and to secure personal data stored digitally.

And with many SMEs saying in a recent survey that they would benefit from legal advice regarding the Personal Data Protection Act (PDPA), the PDPC has also tied up with the Law Society to offer a one-hour consultation session at a lower rate of S$500.

The scheme, beginning next month, includes advice on whether the companies have complied sufficiently with the PDPA and any follow-up actions they need to take.

These are some of the new initiatives that the PDPC unveiled yesterday (May 8) to help businesses, especially SMEs, protect personal data and comply with the PDPA.

Speaking at the Personal Data Protection seminar, Minister for Communications and Information Yaacob Ibrahim noted that a key part of Singapore’s Smart Nation efforts is the use of big data and analytics.

“Against this background, it is inevitable that the volume of personal data held by our companies and organisations will grow, perhaps exponentially.

“Data will increasingly be a key driver of business operations in our economy.

“Therefore, personal data protection will be increasingly critical as an enabler,” he said.

Next month, the PDPC will double the number of credits that companies can use to check phone numbers against the Do-Not-Call (DNC) registry to 1,000 annually.

One credit can be used to check against one number. With this, it expects that more than 80 per cent of the organisations checking numbers with the DNC registry will not need to pay for extra credits.

About 440 data protection-related complaints have been received by the PDPC since the PDPA took effect in July last year. About 140 complaints are under investigation, of which fewer than 10 relate to data breaches, it said.

The PDPC is also recommending that companies report any data breach to the commission as part of the new guidelines.

Commission chairman Leong Keng Thai said: “When formulating the legislation, it was recognised that as a start, the legislation would not take a prescriptive approach of mandating notification of unauthorised data disclosure by organisations as there is no one-size-fits-all approach.”

“(But) the commission will take into consideration whether the organisation has taken responsible actions and adequate recovery measures including reporting the breach, when taking enforcement action against the organisation,” he added.