New law looms, SMEs not ready for it
THE personal data protection law goes into full swing in two days' time, but most small and medium-sized enterprises (SMEs) are still not ready to comply with its requirements.
Under the Personal Data Protection Act (PDPA), which kicks in on Wednesday, companies must comply with guidelines on how they collect, use, disclose and dispose of personal data.
Firms must also appoint a Data Protection Officer to ensure that the requirements are met.
Although an industry readiness survey conducted earlier this year found that one in two organisations said they are prepared for the Act, this may not be the case for SMEs, said Kurt Wee, president of the Association of Small and Medium Enterprises.
Mr Wee noted: "For SMEs that deal with consumer data and need to get themselves practically oriented, I think less than half of them would be ready by July 2."
He expects that they will need at least another year to get up to speed, despite the Act being phased in progressively over an 18-month period.
Sidney Lim, managing director for South-east Asia at consulting firm Protiviti, said that for many SMEs, the cost of implementing the data protection measures may range upwards of $15,000.
"Even if you are a nail spa, when you collect a client's personal information, you need to include clauses to give you the necessary permission to use, manage or disclose the data. You also need processes in place to anonymise the data," Mr Lim added.
"There must also be reasonable security arrangements to prevent unauthorised access," he said.
Because of the costs, some SMEs may be adopting a "wait-and-see" attitude till after the law kicks in. The PDPA takes a complaint-based approach to enforcement and companies may just choose to do nothing for now, Mr Lim noted.
Mr Wee said that besides getting themselves ready for the PDPA, companies have had to adhere to other laws and operating guidelines in recent years.
These include the PDPA's do-not-call registry, the lemon law, the Ministry of Manpower tightening up of foreign labour, and new financial filing guidelines required by the Accounting and Corporate Regulatory Authority.
"Singapore is becoming an increasingly more 'compliant' ecosystem... There are a lot of silent costs in assigning manpower and time to handle these," Mr Wee noted.
With the deadline looming in two days' time, Mr Lim has one piece of advice for companies: Get started today.
"If the firm goes and updates its website, and makes the information about its policies and procedures to meet the PDPA obligations - that's a start," he said.
"As long as you have shown that you have started to try and meet the obligations, I think the PDPC will have some sympathy... and not be as strict as on those that have done nothing," he added, referring to the Personal Data Protection Commission.
Some have swung into action. Data-storage company Kronicles Asia has received a three-fold increase in inquiries from SMEs over the past six months, said its chief executive officer, Piti Pramotedham.
Mr Pramotedham said compliance with the PDPA will involve changes to IT systems and outsourcing work to external IT firms. Again, costs are a factor.
A spokesman for the PDPC said that in the event of any investigation, the commission will provide "an opportunity for organisations to provide their account of the matter, and will seek to ensure that any action taken will be proportionate, taking all circumstances and factors into consideration".