If this page does not display properly, please click here.
Arielle Law's Updates Banner

15 June, 2016

Dear Readers,
With the growing ubiquity of technology and the necessity of data collection, issues like personal data security are more relevant than ever. Find out how to comply with personal data protection laws in your business processes!
- Koh C-u Pinn, Arielle Law Corporation

PDPC Fines K Box $50,000: What business owners need to know about personal data protection

Recently in April 2016, the Personal Data Protection Commission (PDPC) fined 4 companies and warned 7 others for mishandling consumer data. Among those fined was K Box, which was fined $50,000 for mishandling the personal data of 317,000 customers.

Why was K Box fined?

K Box obtained customer data such as the name, NRIC number, and nationality through its membership program. Yet, K Box failed to put necessary security measures in place to protect customers’ data in its “CMS” (Content Management System) system. This resulted in the personal data of around 317000 customers being disclosed in a list that was published online.  

As an example of the lack of security, the administrative account with access to personal data had a username of “admin” and a weak password of “admin”. This was a breach of the Protection Obligation under section 24 of the PDPA, which states that an organization has to make “reasonable security arrangements” to protect its customer data.

To make matters worse, K Box did not appoint a Data Protection Officer (DPO) for almost 2 years, breaching the Openness Obligation under section 11(3), which states that an organization “shall designate one or more individuals” to comply with the PDPA.

K Box’s privacy policy was deemed to be “not comprehensive”, again breaching the Openness Obligation under section 12(a) which states that organizations shall “develop and implement policies that are required by the organization” to meet its PDPA obligations. For example, K Box did not have any policy to monitor whether an employee removed personal data from its premises.

Complying with the Personal Data Protection Act (PDPA)

It is critical that business owners have the knowledge to comply with PDPA guidelines, and being ignorant is no excuse.

Below are some measures that are highly recommended and fundamental to a company’s compliance with the PDPA.

  1.    Appoint a Data Protection Officer (DPO)

The PDPC encourages all organizations to appoint a DPO to manage consumer data. He/she can be an existing employee and will be in charge of developing a well-rounded data management system for the company, and also communicate this to fellow employees. K Box’s lack of a DPO was a glaring issue pointed out by PDPC.

  1.    Implement a proper data protection process

One of the main reasons for K Box’s failure to comply with PDPA was that they had weak measures in place to protect consumer data. Even its IT vendor, Finantech, did not receive any instructions from K Box to protect the data in its system. Companies can avoid making the same mistake by having a comprehensive data protection process in place.

  1.    Run a detailed inventory of consumer data

Once a DPO has been appointed and data protection measures are in place, businesses should also be aware of the details involving consumer data. Information such as who has access to the data, where the data is distributed etc should be thoroughly recorded and updated.

  1.    Actively be updated of PDPC-recommended industry guidelines

The landscape of consumer data varies greatly amongst different industries. The PDPC has guidelines for companies in various industries such as real estate, education and healthcare. It is important that companies in different industries actively keep abreast of these guidelines.

  1.    Seek legal advice if necessary

Companies that are still unsure of whether their actions are PDPA-compliant can always seek legal advice. Contact your corporate lawyer to ensure that your company’s operations are in line with the PDPA.

Personal data protection is here to stay

The fines and warnings set out by the PDPC may have been the first of its kind, but it certainly won’t be the last. Given the technology era and the large amount of consumer data collected by different companies, it is critical to avoid complacency and actively seek to comply with the PDPA.

Koh C-u Pinn Picture
Koh C-u Pinn is a director at Arielle Law Corporation, a boutique law firm that provides individualized services tailored specifically to your needs. 

Simply email us at, or give us a call at (+65) 6268-8963 to chat with us about your needs. We are always happy to discuss what works best for you, whether over email, the phone, or a freshly brewed cup of coffee.
Liked this newsletter? Forward to a friend.
Copyright © 2016 Arielle Law Corporation, All rights reserved.Arielle Law Logo
You are receiving this email because you are a client, you have previously contacted us, or you opted in at our website

Our mailing address is:
Arielle Law Corporation
51 Goldhill Plaza, #07-04
Singapore 308900

Add us to your address book

unsubscribe from this list    update subscription preferences 

Email Marketing Powered by Mailchimp