PDPC Opens GenAI Data Consultation: A Founder's Take | RECATOOLS

Singapore's Regulator Just Opened the GenAI Data Question — Founders Should Read That as a Signal, Not Wait for the Fine Print

Photo by TheDigitalArtist on Pixabay

AI & ML · 7 Jun 2026 —

On 2 June 2026, Singapore's Personal Data Protection Commission (PDPC) opened a public consultation on its Proposed Advisory Guidelines on the Use of Personal Data in Generative AI. The text is a draft, out for feedback, and the regulator has filed it under two tags worth sitting with: "Artificial Intelligence (AI)" and "Data Use."

I'm not going to walk you through clauses that are still being consulted on — if you want the specifics, read the PDPC's consultation document directly, because that is the only place the detail can be relied on while it's in flux. What I want to talk about is why the existence of this consultation should matter to you long before any of it is settled. I run a company that helps SMEs put AI to work, and I spend the other half of my time thinking about the security and data risk that comes with it. From both seats, the way I read it is the same: when the data-protection regulator starts drawing lines specifically around personal data in generative AI, the floor under your business is starting to move — and to my mind, the smart operators build to where it's going, not to where it is today.

Why I think this lands hardest on SMEs

There's a comforting assumption among smaller businesses that AI governance is a problem for the Googles and the banks. I don't buy it. The PDPC hasn't framed this as an SME issue — but in my experience, for many SMEs the risk is likely to appear the moment they connect third-party AI tools to operational or customer data. That's the part founders are least equipped to think about while they're chasing the productivity win, and it's where I'd expect the trouble to surface first.

Here's the framing I give the businesses I work with: the data you feed into an AI system sits on two lines of your balance sheet at once. It's an asset — it's what makes the tool useful. And it's a liability, because once personal data has entered model development or system workflows, later access, correction, or removal can become technically difficult — something the PDPC itself acknowledges in recognising the technical limits on identifying, correcting, or removing specific information once it's in a model. A regulator opening a formal consultation on this exact question is, to my reading, a sign the liability side of that ledger is going to get more attention, not less.

What I'd do now, regardless of the final wording

You don't need the finalised guidelines to start. The disciplines that will keep you on the right side of wherever this lands are the same ones good security and data practice have always demanded:

Know your data's provenance. Treat every dataset you feed into an AI system the way you'd treat any other component in your supply chain — with a record of where it came from and why you're entitled to use it. If you can't answer that for a dataset, that's your weakest point.
Don't assume your AI vendor carries your liability. The PDPC's position is that the organisation deploying a system bears primary responsibility for ensuring it can meet PDPA obligations — and needs sufficient information about the upstream safeguards to make that call. Put plainly: using a third-party model doesn't remove the deployer's need to assess whether the system can meet those obligations.
Collect less, and say clearly what you do with what you collect. Minimising the personal data in play and being plain with people about how it's used isn't just hygiene — in enterprise procurement it's increasingly something you can win deals with. Private-by-design is becoming a sales advantage, not just a compliance posture.

None of that depends on a single clause of the draft. It's the work that makes you ready for the draft.

The window is open — and it's short

The thing most businesses get wrong about a public consultation is treating it as an announcement to react to later, rather than a door that's briefly open. It's a draft because the regulator is asking for input, and the PDPC has set submissions to reach it by 1 July 2026, 5.00 PM. If something in the draft would be unworkable for how a real SME handles data, the time to say so is before that date — and at minimum, the time to read it and brief your team is now, not after it hardens into the standard you're measured against. Singapore tends to set the template the rest of ASEAN watches, so this is worth the attention even if you operate primarily across the causeway or further afield.

Key Takeaways

On 2 June 2026 the PDPC opened a public consultation — closing 1 July 2026, 5.00 PM — on proposed advisory guidelines for the use of personal data in generative AI; most specific provisions are still in draft.
The PDPC has not framed this as an SME issue; in my view, the risk for many SMEs will surface when they connect third-party AI tools to operational or customer data.
The PDPC's position is that the deploying organisation bears primary responsibility for ensuring a chosen system can meet PDPA obligations — don't assume your vendor carries that for you.
You can act before the final text: track data provenance, assess vendor systems against PDPA obligations, and treat private-by-design as a competitive edge.

Jeffrey Tan's VerdictStrategy

A regulator opening a consultation is not a reprieve; the way I see it, it's a roadmap with the destination already pencilled in. You don't have to guess where personal-data rules for generative AI are heading — Singapore just told you it's actively drawing them. So build to the direction of travel. Map your data to a reason you're allowed to use it, put a named human in charge of data provenance the way you'd put one in charge of the finances, and read the PDPC's draft yourself rather than trusting anyone's secondhand summary of it — including a confident-sounding one. Governance done early is product. Done late, it's a fire drill. The founders who treat this consultation as a prompt rather than a press release will be the ones still standing when it has teeth.

Sources & cross-checks

Primary: PDPC, "Public Consultation on the Proposed Advisory Guidelines on Use of Personal Data in Generative AI," published 2 June 2026 — https://www.pdpc.gov.sg/organisations/regulations-decisions/public-consultations/public-consultation-on-the-proposed-advisory-guidelines-on-use-of-personal-data-in-generative-ai
Verified: Against the PDPC consultation — the consultation is issued by the PDPC, dated 2 June 2026, scoped to "Artificial Intelligence (AI)" and "Data Use," and closes 1 July 2026 at 5.00 PM. The draft assigns the deploying organisation primary responsibility for ensuring a system can meet PDPA obligations, and recognises technical limits on identifying, correcting, or removing personal data once it is in a model. The draft's remaining specific provisions are still in consultation and are not characterised here.

Tags: #ASEAN #SME #AI #data-governance #pdpc

Jeffrey Tan

Founder & Architect, RECATOOLS · Singapore

Jeffrey Tan is the Founder & Architect of RECATOOLS, a Singapore-based technology initiative focused on free tools, AI-curated news, cybersecurity intelligence, and ASEAN-ready digital utilities.

View author profile → · Editorial policy