Personal data protection: An intrinsic priority of Singapore's largest bank

DBS sees personal data protection as integral to its business and encourages a wider acceptance and discussion of the issue

The banking industry is driven by human interactions, which in turn are the focal point of DBS’ personal data protection policies. PHOTO: PDPC

DBS has over four million customers in Singapore alone. With over 280 branches across 18 markets worldwide, DBS considers personal data protection an intrinsic priority of the bank.

"We deal with personal data all the time," says Mr Lam Chee Kin, DBS' Managing Director and Head of Group Legal, Compliance and Secretariat. "Handling it responsibly with confidentiality, privacy and security is an inherent part of providing trusted service to customers. We consider quality privacy and data governance practices a requisite to doing business."

Mr Lam is also a member of the Data Protection Advisory Committee, which comprises individuals from various sectors that advises the Personal Data Protection Commission (PDPC) on matters relating to the review and administration of Singapore's personal data protection framework.

Pre-Personal Data Protection Act (PDPA), DBS already understood what a data protection regime would look like because several of the territories it operates in - Hong Kong, for example - had introduced similar laws much earlier than Singapore. In compliance with these jurisdictions, DBS had integrated the processes into its framework for handling individuals' personal data, including that of customers and staff.

  • Challenges

    Personal data protection requirements under the PDPA were not new ideas to DBS, but the PDPA gave rise to broader implications that had to be managed.

  • Steps Taken

    · Integrated personal data protection into an overall data governance approach that applies across all of the bank's operations

    · Appointment of a DPO to provide guidance on best practices and to engage in regular discussions with authorities

    · Used aggregated data to analyse customer service issues

  • Benefits

    · More effective implementation of personal data protection policies that are integrated in existing work flows

    · The DNC Registry has allowed for dedicated use and focus of resources, leading to better customer experiences

    · Use of data analytics to enhance customer services

With customer relationships being key to the banking business, Mr Lam emphasizes that the way they deal with their customers is something they take very seriously. "People want to be treated with respect. Therefore we design our data protection practices to be sensitive to this."

"Often people want their financial product or service without fuss, and they can get irritated by poorly-designed consent forms or lengthy explanation of how personal data will be used. That's a potential issue arising from being pedantic and ignoring practical approaches while implementing data protection procedures. If you don't give the customer a good experience, you lose the customer."


Like all banks in Singapore, DBS comes under the regulation of the Monetary Authority of Singapore (MAS) by virtue of the nature of its business. It is guided by established banking principles including client confidentiality, and now, the PDPA.

For DBS, adopting a single data governance approach that encompasses all elements of related compliance applicable to all of its business units across the globe is preferred, as opposed to having separate frameworks for individual elements.

In terms of differing jurisdictions, Mr Lam acknowledges that negotiating these differences is difficult and his advice to Small and Medium Enterprises (SMEs) with overseas operations is to consider applying the "80-20 rule".

Broadly speaking, the 80-20 rule calls for an estimation of the countries that can be brought under a single framework. These would typically be countries that have reasonably harmonized or similar laws and regulations.

One can expect there to be countries that cannot be integrated under an umbrella framework, and these are usually jurisdictions with very strict or localised definitions of concepts such as privacy.

Mr Lam adds, "The biggest challenge for us continues to be bringing everything together - including data protection rules - in a way that the whole organisation, complete with differing laws from other jurisdictions, can operate smoothly and without confusion."

One concern that relates to this is information sharing, particularly when it is at odds with cross-border or cross-entity banking regulations. Customers tend to expect the same service whether the branch is in Singapore or overseas, without being aware that it is not necessarily a straightforward process.

For instance, if a customer sends an enquiry to a branch overseas, he would expect the branch to be able to pull out all his records with the bank, regardless of where the information resides originally. DBS has to navigate both data protection and financial regulations, which govern cross-border exchange of customer data, to ensure that customer experience is as seamless as possible.

Another development which impacted overall customer experience was the introduction of the Do Not Call (DNC) Registry under the PDPA.

According to Mr Lam, operationalising this element in their processes was "a bit of a task" because DBS had to integrate its processes with that of the registry and build appropriate interception points for its marketing teams.

"However, the DNC provisions have helped us to better understand which of our customers want to be contacted for marketing purposes, which allows for dedicated use and focus of resources and thereby, a better customer experience," he adds.

The PDPA also requires the appointment of a data protection officer (DPO), and one has been duly appointed in Singapore.

Rather than appointing a DPO in every department, DBS finds that channeling data protection issues through a single contact point in the bank ensures that data protection rules are integrated into the way DBS works. Furthermore, having a single DPO streamlines engagement with regulatory bodies.


While DBS takes its data protection and accompanying privacy responsibilities seriously, a broader interest is how to turn responsible treatment of customers' personal data into a competitive advantage.

"We want to provide seamless banking services to customers," says Mr Lam. "And that requires the use of data analytics."

An example of how DBS has been using data analytics to serve customers better would be the roll-out of pop-up automated teller machines (ATMs) during the Lunar New Year festive season. This is the time of the year where there are more people visiting ATMs to withdraw new notes for distribution of red packets.

Through the use of aggregated data, DBS was able to discern where the highest traffic spots were and introduced "pop-up" ATMs at those locations in 2015. The 29 pop-up ATMs, specially designed to meet customers' need for greater ease and convenience, were set up at 10 community clubs island-wide.

The obstacle to the use of data analytics, however, may be the public's lack of awareness and understanding of how their personal data can be used for the greater good. Mr Lam highlights Singapore's aspirations to become a Smart Nation and points out that the success of this is largely dependent on a much more open sharing and utilisation of data, including personal data.

Mr Lam says, "Responsible use of data will give businesses a competitive advantage. If a company shows that it protects data well and uses data responsibly, chances are that it will be perceived favourably by customers."

Follow ST on LinkedIn and stay updated on the latest career news, insights and more.