Data as Fuel – Privacy and the PDPA in the AI Era

By

|

The 400% tax deduction is the carrot. The PDPA is the stick. As SMEs race to integrate AI, this article examines the data protection obligations that intensify — not diminish — when AI is deployed in your business.

In the wake of the 2026 Budget incentives, many SMEs are racing to integrate AI into their operations. However, the excitement of a 400% tax deduction should not blind business owners to a fundamental reality: AI thrives on data, and in Singapore, that data is governed by the Personal Data Protection Act (PDPA). As your business moves from manual workflows to AI-driven automation, your legal responsibility toward customer and employee data doesn’t just remain—it intensifies.

The Personal Data Protection Commission (PDPC) has been clear: the PDPA is technology-neutral. Whether you are using a filing cabinet or a sophisticated LLM (Large Language Model), the core obligations of consent, purpose limitation, and protection still apply.

The Consent Conundrum in AI Training

The most common pitfall for SMEs is the “training trap.” If you intend to use existing customer data to train or fine-tune a custom AI model (perhaps to better predict local buying habits), you must ensure you have the appropriate consent.

Under the PDPC’s Advisory Guidelines on the Use of Personal Data in AI Systems, businesses can sometimes rely on the “Business Improvement Exception” to use personal data without fresh consent for internal AI development. However, this is not a blank check. The use must be for a purpose that a “reasonable person” would consider appropriate, and the data cannot be used to make autonomous decisions that significantly affect the individual without transparency. If you are using third-party AI tools, the risk shifts to Data Intermediary obligations—you are still responsible for ensuring that the vendor you choose has robust data protection measures in place.

Navigating the New “Agentic AI” Framework

January 2026 marked a milestone with Singapore’s launch of the Model AI Governance Framework for Agentic AI. Unlike standard AI that simply answers questions, “agentic” AI can independently plan and take actions—like an AI bot that not only answers a customer query but also issues a refund or modifies an order.

For an SME, this autonomy creates a “black box” of liability. If your AI agent accidentally leaks sensitive client data while communicating with another app, the PDPC will look at your Accountability Obligation. Did you “bound” the agent’s access? Was there a “human-in-the-loop” for high-stakes decisions? Accountability cannot be outsourced to the software provider.

Practical Guardrails: A Checklist for 2026

To ensure your AI adoption remains compliant and doesn’t lead to a costly “Correction Direction” or fine, consider these three immediate steps:

  • Conduct an AI-Specific Data Audit: Map exactly where personal data flows into your AI tools. Is it being sent to a server overseas? Is it being used by the provider to train their global models? (Many enterprise-grade tools allow you to opt out of this—make sure you do).
  • Update Privacy Policies: Transparency is a key pillar of the PDPA. Your customers have a right to know if their data is being processed by AI. Update your notices to explain the how and why of AI processing in simple, clear language.
  • Implement Data Minimisation: The best way to protect data is not to have it in the first place. Use anonymisation or “scrubbing” techniques to remove personally identifiable information (PII) before it ever reaches the AI prompts.

The Cost of Non-Compliance

While the Budget 2026 incentives provide a “carrot,” the PDPA provides the “stick.” With financial penalties for data breaches potentially reaching up to 10% of an organisation’s annual turnover in Singapore (for those with turnover exceeding $10 million), a single AI mishap can wipe out all the productivity gains you’ve achieved.

As we move into Article 3, we will look at the next layer of this digital transformation: ensuring that once your AI is fed and running, you actually own what it creates.

This article is part of the “AI, the Law and the SME” series by OTP Law Corporation. At OTP Law Corporation, we specialise in helping SMEs navigate the intersection of technology and law. If you are reviewing any of your commercial contracts, drafting an AI governance policy or have any other legal needs, contact us to ensure your business is protected.

By