How new personal data protection guidelines on NRICs impact SMEs

MOST SMEs in Singapore provide customers with various services, making them a goldmine of personal data and information.

Recently, the Personal Data Protection Commission (PDPC) outlined a new set of guidelines on the collection of NRICs that will come into force in September 2019. This new guideline will be applicable to all organisations in Singapore and it aims to enhance consumer protection against unjustified collection, use, disclosure and retention of physical NRICs.

How will it affect SMEs?

These new guidelines will significantly impact businesses in Singapore, especially SMEs that offer consumer services. In order to stay compliant, SMEs will have to change their internal processes when it comes to collecting personal information.

The biggest misconception by SMEs of the new PDPC NRIC guidelines is that they are too small to be affected which could not be further from the truth. SMEs who do not adhere to the guidelines are putting themselves at risk of data breaches, which may cause them reputational and monetary loss.

What's in store if you do not comply?

SME business owners might argue that data security is not crucial as there are more pressing matters that require attention such as day-to-day operations and financial concerns. Recently, a recent SME Development Survey showed that SMEs in Singapore are expecting a decline in turnover and are expecting a more challenging business environment due to the US-China trade war.

Singapore SMEs can be significantly impacted if found in breach of the Personal Data Protection Act (PDPA) due to hefty fines of up to S$1,000,000 which may be imposed on any organisation.

In addition, SMEs offering services to an international clientele could also potentially be in breach of the General Data Protection Regulation (GDPR), whose fines are up to 20 million euros (S$30.5 million) or 4 per cent of an organisation's global turnover. This is easily more than S$30,000,000, which is 30 times larger than a PDPA fine.

With this, Singapore SMEs will also potentially face an inevitable drain on resources required and would have to spend more on money and time to plan for proper steps in becoming compliant.

The numbers may seem intimidating, but complying with the PDPA may not necessarily be that expensive. Organisations need to ensure that they are well-versed with the new guidelines and protect any personal data within their control and destroy data which no longer serves the purpose for which it was required.

A good first step by SMEs should be to always take note of when and why they should collect their customers' NRIC details. In the event they are required to collect any information to prove one's identity, there may be various alternatives which can be adopted to ensure adherence to the new guidelines. For an example, organisations can request for email addresses or partial NRIC numbers (e.g. XXXXX123B).

Importance of adopting a holistic data security

To ensure compliance with the PDPA, SMEs are encouraged to adopt a holistic approach to data security, paying attention to not just digital data but also physical data. In addition, organisations that are going digital might still have copious amounts of confidential data stored on hard copy and it is crucial that such data is securely destroyed if it is no longer required.

When left unprotected or not securely destroyed, it is easier for a physical data breach to happen. Data mongers can steal these physical documents and manipulate confidential data for various illegal activities such as money laundering, identity theft and even loan-shark activities.

What should SMEs do to safeguard data

While adhering to the new guidelines is crucial, SMEs should also do more to ensure that their organisation protects all data in their care, be it digital or physical. Engaging the services of a trusted document destruction provider can help SMEs securely destroy all unwanted confidential data. If in doubt, SMEs can consider shredding all documents to fully prevent any personal data from falling into the wrong hands.

While data breaches are unpredictable, SMEs should take proactive steps in data security. It is important for SMEs to regularly review their data protection practices and ensure that there are no possible loopholes that might inconvenience them.

Sound policies should be established to provide for additional layers of checks and balances specifically to watch for and prevent human error during normal operational workflows. These checks should ensure that standard operating procedures are strictly followed and serve as an additional line of defence.

In addition, appointing a data protection officer (DPO) in organisations is a mandatory requirement under the PDPA. The DPO has a responsibility of overseeing an organisation's data protection practices and can greatly assist in promoting a culture of data security, ensuring that SMEs stay on track with the PDPA compliance requirements.

Being aware of changes in the data security landscape and staying open to new practices can help SMEs protect all data in their care and uphold their reputations as businesses that can be trusted.