Since its founding in 2011, the primary focus of RedMart, an online grocery service provider, has been to grow the business by providing its customers with the best possible experience.
And that starts with ensuring customers feel assured their personal data is secured when shopping with RedMart. This was what prompted the company to design its processes around personal data protection.
"Personal data protection is important; however, for many start-ups, it can be secondary to achieving growth and profitability. At RedMart, we believe that data protection is directly related to customers trusting our company, which is a necessary part of ensuring growth," explains Mr Christopher Y. Chan, Director of Legal and Government Affairs at RedMart.
Mr Chan joined the company in 2015 as its first attorney and is also RedMart's designated data protection officer.
With the enactment of the Personal Data Protection Act (PDPA) in November 2012, RedMart revised its data protection policy to ensure that their customers' personal data is well accounted for.
That was first in the tweaks that RedMart undertook to ensure compliance with the PDPA.
Being a start-up and fairly new to the Singapore market, RedMart has to manage the growth of a thriving e-commerce business alongside personal data protection in a short span of time.
- Introduced apps designed for warehouse and delivery staff that provide minimal customer information to facilitate the execution of a successful order.
- Tightened security of customer databases with access controls and data flow mapping.
- Included confidentiality clauses in employment contracts.
- Birth of innovative apps that secure personal data.
- Processes are streamlined due to elimination of excess information shared.
- Changing customer attitude towards e-commerce through an environment of trust.
DESIGNING OPERATIONS AROUND PERSONAL DATA PROTECTION
At its core, RedMart is a logistics company powered by technology. It has the in-house expertise to develop systems to meet the demands of the market and regulations such as the PDPA.
"A lot of our business processes are designed to maximise customer experience whilst ensuring data protection," Mr Chan says.
"Previously, delivery personnel were given invoices with customers' name, address, e-mail address and contact number. Now, our delivery representatives only see what they need to."
All delivery representatives of RedMart are provided with its Delivery Buddy mobile application (app) to assist them in carrying out their tasks.
The app shows only the customer's name and delivery address, and helps map out the most efficient route around Singapore to ensure on-time deliveries.
To notify customers of the arrival of their deliveries, the app triggers a SMS notification to the customer via a RedMart secured server. This eliminates the need for the delivery representative to know the customer's contact number, and vice-versa.
On the rare occasions where a delivery representative needs to contact a customer during delivery, they will use the app to directly place the phone call to the customer.
The call is then logged in RedMart's system so that it knows when and who called a customer for tracking purposes.
Mr Chan explains that the need to make an actual phone call is rare, typically arising in situations when the delivery representative is unable to find the entrance to the property or cannot enter a secured area.
Using the SMS service to inform a customer of an impending delivery is generally sufficient.
"We give our delivery representatives enough information to do their job, and not more; to respect and protect our customers," Mr Chan adds.
RedMart also uses a Picking app that was designed for warehouse staff who have to navigate through more than 30,000 products in a 100,000 square-foot warehouse at Jurong Fishery Port.
The only information that these staff members have access to are the customers' name and general locations of delivery.
In addition to fine-tuning of customer and delivery-centric processes, some adjustments were made to internal processes.
Mr Chan says, "We investigate all data protection-related complaints and issues that are brought to our attention. Relevant personnel are given briefings on the importance of protecting personal data and all employment letters include a confidentiality clause that staff must agree to."
DRIVING SECURE ONLINE GROCERY SHOPPING
While online shopping is a growing global trend, Mr Chan reckons that many buyers in Singapore are still conservative when it comes to online shopping because of the personal data that is required to effect transactions.
Online shoppers have to minimally provide RedMart with their names, delivery addresses, email addresses, contact numbers and payment details to place an order.
Each shopper is then assigned a customer identification number through which they can track their orders, look up order histories, as well as opt out of the various notification channels offered.
Just how secure is RedMart's customer data?
"We have taken some steps to secure customer databases, such as mapping the flow of data and restricting access via login permissions to only authorised personnel who need to know the information, such as customer service officers or programmers working on a specific issue," Mr Chan says.
"Even I cannot access the customer database because I don't qualify as an authorised personnel!"
Other information technology (IT) enhancements adopted by RedMart include, among others, the installation of firewalls, internal risk audits and regular breach checks. Yet another layer of protection is provided by its cloud-based servers in Singapore where RedMart stores its customer information.
With a strong customer-first focus, RedMart is doing what it takes to earn and keep their customers' trust.
Mr Chan says, "If online shopping is made easy and we have a good data protection policy to ensure safe transactions, we can change behaviours."
PERSONAL DATA PROTECTION A CONTINUED FOCUS
Acknowledging that implementing data protection safeguards requires time, technology, and financial resources, Mr Chan points out that allocating human resources has been the company's key challenge to date.
He highlights that it is difficult to measure or quantify the resources and man-hours expended on tackling data protection issues, as it is an ongoing process. Personal data protection will continue to be a focus for the company as it grows and expands.
RedMart employs over 700 people, and it is the IT team and data protection officer that RedMart looks to for support in complying with the PDPA.
"We take PDPA compliance very seriously and recommend that other SMEs do so, too," Mr Chan advises.
"Take a common sense approach to data protection and start with identifying the types of personal data you hold. Appointing a data protection officer is also essential because he or she would be able to cast an eye over data protection matters on a daily basis."