Data protection regulations are now in force in Singapore.
The Do Not Call (DNC) Registry rules took effect on 2 January 2014. Holders of Singapore telephone numbers have been able to register and avoid receiving unwanted text, voice or fax marketing messages.
After an 18-month “sunrise” period to allow organisations to get their internal processes in order, nine personal data protection obligations and limitations took effect on 2 July 2014. Organisations must comply with them when they collect, use or disclose personal data from or about individuals, including their employees.
Boards of companies need to ensure that management implements a robust compliance framework as part of its overall risk management responsibilities. In implementing this framework where the law is clear, management should act on an understanding of what is permissible and what is not. Where the application of the law is subject to interpretation, management should proceed in a way that is consistent with the risk appetite developed by the Board.
The DNC rules present a good example. They do not prevent organisations from sending marketing messages to Singapore telephone numbers in all circumstances. For instance and leaving aside the data protection rules for the moment, the DNC rules are clear that marketing messages may be sent to numbers that are not listed in the DNC Registry.
Where a number is listed in the DNC Registry, marketing messages may nevertheless be sent in the context of an on-going relationship if the purpose of the message is related to the subject of the ongoing relationship. There could be genuine debate as to whether there is an on-going relationship in any particular case and/or about whether the message has the necessary connection with that relationship. A decision consistent with the organisation’s risk appetite must be made before deciding whether or not to proceed with sending the message.
Yet, it appears that some organisations in Singapore have simply tipped targetted marketing messages into the “too difficult basket” and stopped using them altogether.
Similarly, the data protection rules do not prevent organisations from continuing to use personal data for the purposes for which they were collected prior to 2 July 2014. And yet, rather than applying a risk-based approach to determining the purpose for which personal data was collected, many organisations play it safe by burdening their stakeholders and requiring them to give specific consent for the continued use of personal data.
Beyond compliance to opportunities
The practical outcomes currently observed suggest boards need to guide management to not only apply a risk-based approach, but to also try another perspective: stop seeing data protection merely as a legal and compliance requirement that stands in the way of doing business.
Boards can, and should, communicate to management an expectation that they will implement data protection requirements in ways that find new opportunities to enhance operations and customer relationships.
One example is SingTel. It went beyond the current data protection rules to build a portal which provides customised options for its users on the type of marketing messages they want to receive. The greater granularity of options is beneficial to its customers but also provides the telco greater insights into its customers’ preferences. On top of that, the widely-reported pioneering response made good marketing copy.
As I observe the implementation of data protection laws in Singapore and elsewhere, the common factor is that legal or compliance staff are expected by management to take “ownership” of the issue. This yields a necessarily conservative outcome because legal and compliance staff are tasked with minimising risk, not with making decisions that take the company’s risk appetite into account.
Fundamentally different outcomes would occur if the issue of data protection was “owned” by chief executives and their sales and marketing teams, with expert input by legal or compliance staff.
This turns the conversation, and therefore the outcome, on its head. It stops being “tell me what I can and cannot do” and becomes “how do we make it happen – within acceptable legal parameters? What are the risks and options for such decisions?”
This solution-led approach could creatively improve customer service and relationships in the new data protection era. It directly confronts the key operational premise: how can we do better at winning and retaining customer loyalty in this new reality?
Clearly, I am not advocating non-compliance of the law. However, practical requirements can give rise to a considerable grey area, and the need to “make a judgment call”. The board must guide management towards decisions based on sound risk management, not just from a minimal-risk perspective.
Data protection laws are here to stay. The response from boards and management should be to leverage these laws while complying with them.
Lyn Boxall is a member of the Professional Development Committee of the Singapore Institute of Directors.
This article was first published in The Business Times and BT Invest (a financial portal of The Business Times), under the column “Boardroom Matters” by the Singapore Institute of Directors.