Here, we’ll go up to speed on what it’s really all about, the dos and don’ts for marketers, and how we can make sure we’re covered.
We need express consent (verbal, written, or otherwise) from consumers to collect, use, and disclose their personal data. That means they provide it voluntarily, with proper knowledge of how and why, and for a valid purpose.
No misleading them with vague terms and catch-all phrases. Lead-generation emails and forms have to have full explanations of what they are signing up for, what their data will be used for, and so on – and it all has to be within reason.
Similarly, if it’s not a must-know, don’t ask them for it. Because if they’re providing more than what’s reasonably required to do business, then their consent is invalid.
Failure to answer a request for consent, or failure to hit the “No, thank you”, doesn’t mean consent. We have to consider: did they even read what we sent? And why the non-response?
It’s all too simple to sign up for things with somebody else’s details. We need positive action that not only consents, but confirms that they really did consent. Like this:
- They fill in a form, and those details are sent to us.
- We send them a email with a “click here if that was really you”.
- Once they click, we have permission to contact them.
B2B marketers in agencies, being data intermediaries, must pay special attention to those parts of the PDPA that deal with the safeguarding and retention of personal data.
So long as we’re contacting them for the purpose their data was collected, we’re good.
As a rule of thumb, third parties also need consent from individuals to disclose personal data to other organizations. Written or verbal proof will do, but the best would be a contractual undertaking.
Withdrawal of consent
The PDPA also means they can withdraw consent at any time, and we’re responsible for informing them of any consequences.
Once they do, we have to destroy their data unless there are legal or business reasons to justify keeping it. But until then, it’s okay to keep contacting those we already have.
The DNC regime
The Do Not Call (DNC) Registry goes live on 2 Jan 2014, after which we can no longer cold call (or SMS, or fax) anybody unless their number is not on it.
That goes for businesses as well as consumers. People can seek permission from their employers to register their business numbers, and then the same rules apply.
We have to be frank about who we are and why we’re contacting them. Make it clear that our messages will be delivered to their Singapore phone number. And, as usual, get consent through positive action.
What that last bit means is “you consent to receive information about special offers we may have from time to time”. It does not mean “you consent to the use of your personal data for marketing purposes”!
Penalties and precautions
Failure to stick to any of the above is a potential risk of non-compliance, and that brings:
- fines of up to S$10,000 for DNC violations
- fines of up to S$1m for violations under the rest of the PDPA
- damage to reputation
- the prospect of private action
All it takes is one employee’s non-compliance for the whole outfit to be held responsible – hence why it’s so important to take preventive steps as a defence:
- Review all existing personal data.
- Secure it with
- robust policies backed by regular training,
- physical & computer security and access controls,
- and proper disposal of confidential documents.
- Set up a Data Protection Office
- that is locally accessible
- and operational during local business hours.
- Make all data protection practices transparent to the public.
- Respond to all data-related requests within 30 days.
The PDPA comes into full force on 2 Jul 2014. Learn more about it here.