How to keep your business safe under the Personal Data Protection Act Reaching out to a business’ customers isn’t just a question of marketing savvy and clever ad copy – it’s also a legal issue. Singapore’s new Personal Data Protection Act (PDPA) requires business needs to check for compliance when collecting, using or disclosing the personal data of customers. The risks of non-compliance are stark - ranging from customer complaints and civil liability to fines of up to S$1 million. On May 3, the Internet Society (ISOC) Singapore Chapter organized a workshop on the Personal Data Protection Act, and how businesses could stay safe. Mr David Alfred, the chief counsel of the newly instituted Personal Data Protection Commission (PDPC), delivered a keynote address outlining the history, scope and reach of the act. He disaggregated the definition of terms like ‘personal data’ (which, for instance, includes your handphone number but not your business’ address) and delineated the scope of upcoming schemes such as the ‘Do Not Call’ regime (marketing campaigns and ads are covered, but not market research or surveys). The PDPA, he said, would enhance Singapore’s reputation as a data processing hub, and bring it on par with international standards. Benjamin Ang, a lecturer on Intellectual Property Law with Temasek Polytechnic, outlined a set of recommendations for businesses and individuals to transition towards compliance with the new act. Businesses must be transparent with their handling of data, he urged, and set up a complaints response process. By the end of the workshop, the myriad legal issues lurking behind the constant barrage of sales promotions, loyalty cards and tele-marketing calls were clearer. More than 50 participants, from entrepreneurs and university students to professionals from various industries and backgrounds, asked pointed questions and discussed legal concepts and realworld applications.