SINGAPORE - Big businesses with an eye on Big Data have applauded the impending Personal Data Protection Act (PDPA), but their smaller counterparts will have more uncharted territory to navigate when data legislation kicks in.
The amended Personal Data Protection Bill went through its second and third reading in Parliament yesterday, and is tentatively slated to be passed as an Act by January next year.
The PDPA, designed to prevent the misuse of personal information, will govern how businesses collect, use, protect, correct and provide access to personal data. After the Act is passed, organisations will have an 18-month transition - or "sunrise" - period before the new law kicks in.
The Act also provides for a national Do Not Call (DNC) registry with which individuals can sign up to opt out of marketing messages. Organisations have to check individuals' numbers against the registry before sending marketing messages. Firms that contravene the data protection and DNC provisions will be fined up to $1 million and $10,000 per offence, respectively.
While large firms have the advantage of heft and experience to welcome the changes, smaller firms see mostly mounting costs and greater operational uncertainty.
Jessica Tan, general manager for Microsoft Asia Pacific's enterprise and partner group, told Parliament yesterday that more data regulation would be needed for Singapore to defend its cloud computing and data hub ambitions.
Cloud computing and cross-border data transfers might represent large opportunities for IT firms, but smaller firms on the user end will find their own usage of cloud services coming under scrutiny with the new data law.
A key addition to the Bill mandates that companies transferring personal data out of Singapore have to make sure that the data in question continues to receive a standard of protection that is comparable to the one offered by this new Act. Organisations may, however, apply in writing for an exemption from this requirement.
"It is important for companies to understand what the applicable standards are, as it is increasingly common for companies to transfer data out of Singapore ... for storage or business continuity planning," said Lim Chong Kin, head, telecommunications, media and technology at Drew & Napier.
Also, large and small businesses appeared to differ dramatically in terms of the amount of time needed to fall in line with the act.
Microsoft's Ms Tan proposed that the 18-month sunrise period for all organisations be shortened to 12 months for large firms and lengthened to two years for smaller ones.
Teo Siong Seng - the president of the Chinese Chamber of Commerce & Industry - took it further in Parliament yesterday, proposing that companies with less than $10 million in revenue be allowed to use the 18 months to draft compliance policies, and for a further 12 months of sunrise period after that.
"This will give them more breathing space for proper implementation," Mr Teo said.