The Personal Data Protection Commission (PDPC) has taken enforcement actions against several organisations for breaching data protection obligations under the Personal Data Protection Act (PDPA).
Five organisations including notable brands such as K Box, Challenger and Metro were issued directions (four included financial penalties), while six others were issued warning.
This is the first time the PDPC issued decisive action in response to personal data protection. Previously, most fines and warnings were only meted out to those who breached the Do Not Call directory.
Karaoke Chain K Box was slapped a penalty of SG$50,000 for inadequate data protection policies and the absence of a data protection officer (DPO). This was for the compromise of the data for 317,000 of their members. Finantech Holdings, the IT vendor in charge of K Box’s content management system was also fined SG$10,000. The last time KBox got into hot soup regarding data protection was in 2014.
“The enforcement actions taken are not to deter the use of personal data for business competitiveness. We recognise that data is essential for innovation in today’s economy. The key is to use it responsibly and take appropriate actions to protect it,” Leong Keng Thai, chairman, PDPC, said.
Other brands like Challenger and Metro were issued warnings by the data protection authority.
In response to the warning, Metro announced its commissioning of KPMG to “conduct a robust security assessment and audit” of their internal and external internet-facing systems. Following KPMG’s report, it has resolved a number of IT security issues raised, including the enabling of additional secure encryption protocols and the applying of patches for vulnerabilities detected.
Challenger also took immediate steps to alleviate the situation, including terminating the services of the third-party vendor and hiring a data protection consultant, Straits Interactive, to audit and review its entire business processes and policies where personal data may come into play, according to Loo Pei Fen, chief marketing officer of Challenger Technologies.
“Challenger has also further trained its retail and back-end staff in the appropriate handling of personal data,” Loo said.
According to industry players Preetham Venkky, head of digital strategy & business at KRDS Singapore, more should be done by the PDPC to communicate how organisations can take immediate steps in protecting consumer data.
“When the PDPA was rolled out in 2014, it was just a policy hence it was not clear to organisations on the immediate steps they need to take to protect consumer’s personal data. There is a need to develop and communicate frameworks and tools, to ensure the right protection is in place. Someone within the organization is needed to be accountable for this data protection as well. Currently, many organisations treat personal data with the same level of security as official communication,” said Venkky.
It would also be better if there were tools and content available for education on data protection so firms can navigate the landscape better. “It can be something as simple as creating a protected data base service for organisations to subscribe to,” he said.