Singapore’s Personal Data Protection Act (PDPA) governs the way companies in the country collect, store, use and disclose data.
In order to comply with KYC (Know Your Customer) laws, fintech companies must collect personal data from customers. And that, in turn, means they need to make sure they comply with PDPA.
The PDPDA was drawn up in 2012 and came into full effect on 2nd July 2014. To comply with the act, companies must:
- Notify their customers if their data is being disclosed, collected or used, and only use that data for the purposes defined.
- Ensure consent has been granted by individuals before collecting, using or disclosing their data.
- Upon request, an organization must be able to provide information on how a customer’s data has been used in the past 12 months.
- Ensure personal data is complete and accurate.
- Ensure data is kept secure from unauthorized access, modification, use, disclosure.
- Data should only be retained when needed and should be destroyed when no longer needed.
- Ensure that overseas external organizations provide a comparable standard of protection.
- Designate a Data Protection Officer (DPO) and publish his/her business contact information. PDP policies should be made available to the public and employees.
- Not send marketing messages to individuals who are registered in a National DNC (Do Not Call) registry.
To comply with this set of laws, companies must find a balance between respecting the individual’s right to data privacy and the organization’s desire to use data for its own purposes. To do so, fintech companies should develop a data privacy framework. The first step is to determine exactly what data is collected, where it is collected, and how it is stored. It’s also imperative to determine how that data flows within a company, and importantly if or when it crosses borders between countries.
Next, the company should determine where and how data is stored, backed up and disposed of. From these, conclusions must be drawn about when data may be vulnerable to a data breach. This amounts to a Privacy Impact Assessment (PIA) and includes measures such as change management, data loss prevention, data masking, ethical walls, privileged user monitoring, and user rights monitoring.
The company then needs to understand how data is used for cross-border marketing and how data is shared with third parties.
Once the company has analyzed the way it collects, uses, stores and protects data, it can begin to look at the compliance requirements. This necessitates looking at the legislation in all the countries in which it acts. Fintech companies in Singapore need to look beyond just Singapore’s data privacy laws. It should also look at industry-specific legislation and at obligations with regard to third parties.
Finally, all of this information can be used to set up internal policies and controls. These include publicly available statements made available on websites and in employee handbooks and training manuals.
In many cases, data is the lifeblood of a fintech company. But using or even storing that data comes with responsibility. Any company that wants to continue to have access to personal data must take personal data privacy seriously.
Featured image via Pixabay