PDPA and AI: what Singapore SMEs actually need to know
Most of the guidance on PDPA and AI is written for large enterprises with legal teams. Here is what the Personal Data Protection Act means for smaller businesses using AI tools.
Singapore’s Personal Data Protection Act (PDPA) has been around since 2012, and most SME owners have a rough sense of what it covers: get consent before collecting personal data, keep it secure, do not sell it.
What many businesses have not worked through is how those obligations apply when you start using AI tools, and specifically when those tools are trained on, or have access to, your customers’ personal data.
This is not a niche compliance question. It is one of the most common issues I see when helping businesses adopt AI.
What counts as personal data in this context
Under the PDPA, personal data is any data about an individual that can identify them, directly or indirectly. This includes names, email addresses, phone numbers, and transaction history. It can also include combinations of data that would not identify someone on their own but do when put together.
When you feed customer information into an AI tool, such as asking it to draft a personalised follow-up email based on a client’s purchase history, you are almost certainly processing personal data.
The three questions to ask before using any AI tool with customer data
1. Where does the data go?
Many AI tools, particularly the consumer-facing versions of large language models, use your inputs to improve their models. If you paste a client’s contact details and order history into a chat interface to generate a summary, that data may be retained and used for training purposes.
This matters under PDPA because your customers gave you their data for a specific purpose. Using it to train a third-party AI model is unlikely to fall within that purpose.
2. Is there a data processing agreement?
If you are using an AI tool for business purposes, check whether the vendor has a data processing addendum or equivalent. This document outlines how the vendor handles data you share with them and what their obligations are. Enterprise plans typically include this. Consumer plans typically do not.
3. Have you assessed the risk of a breach?
AI tools that have access to customer data create a new potential point of failure. If the tool is compromised, or if an employee pastes data into the wrong interface, personal data may be exposed. PDPA requires you to implement reasonable security arrangements. Part of that is understanding where your data flows.
What “reasonable” actually means for a small business
The PDPA uses the language of “reasonable” deliberately. It does not require SMEs to implement enterprise-grade data infrastructure. It requires them to take reasonable steps given the nature and volume of the data they hold.
For most small businesses, reasonable means:
- Knowing which AI tools your team is using, and for what
- Checking whether those tools have appropriate data handling terms
- Not using consumer AI tools for sensitive customer data without understanding where the data goes
- Having a basic response plan for the scenario where personal data is accidentally shared
None of this requires a legal team. It does require someone to own it and to think it through before the tools are in use, not after.
If you are not sure whether your current AI tool usage is PDPA-compliant, that is worth finding out now rather than later. I work with SMEs on exactly this: building a picture of current AI use, identifying the gaps, and putting in place practical governance that fits the size of the organisation. Get in touch if you want to talk it through.