The Personal Data Protection Act (PDPA) is a mandatory regulation all organisation needs to comply. Its objective is to ensure organisation puts in place their data flow protection process to look into the collection, storage, use & disclosure, transfer and disposal of personal data. These personal data can be that of their staff, customers, and other stakeholders.
For more information, can visit the Singapore Regulator’s website:
PDPC Website: www.pdpc.gov.sg
We have created the following video to give organisation a good overview of the PDPA plus the proper selection of the Data Protection Officer (DPO) to oversee the compliance of the PDPA.
Phase 1:
Objective:
Gathering information about the organisation’s Data Flow.
Agenda:
- Draft out Organisation’s Business Scope
- Draft out the Data Flow Diagram in organisation
- Fill up the Data Inventory Map
- Ensure a Data Protection Officer is appointed and plan out the PDPA training to take for his role
- Share on the rationale of the PDPA and encourage organisation to get departmental heads to be part of the Data Protection Team
- Review all Notices, Forms used in collecting personal data, SOPs, etc.
- Organisation IT setup and controls if any; secured email, website, portal used, data storage and backup used.
Phase 2:
Objective:
Conduct an overall Enterprise Data Flow Risk Assessment, using ISO 31000
Agenda:
- Identify all potential Risks – Entry, Exit and Storage of personal data
- Draft out the Risk Analysis Summary
- Draft out the Risk Response Summary
- Provide the Risk Mitigation Cost template for organisation to add in the budgeted amount
- Provide the Contingency Risk Budget template for organisation to decide on the amount, or explore getting a cybersecurity insurance if needed
- Present the Risks Summary to the organisation for their understanding and follow-up actions
- Controls recommendation; to be documented inside the Data Protection Management Programme (DPMP).
Phase 3:
Objective:
Design and Documentation of the Data Protection Management Programme (DPMP)
Agenda:
- Drafting of all the necessary Notices based on the various Purposes for the Collection of personal data; public, staff, etc.
- Improved on all existing forms used for collection of personal data, with advise on data minimisation and consent acquisition proof
- Access and Correction Procedure
- Drafting of the various policies and other controls based on the Risk Summary; Retention Policy, Communication and Device Usage Policy, etc.
- Communication and Training Schedule for the organisation staff; to establish Privacy Culture in organisation
- Dispute Resolution Procedures and Form to integrate with existing Customer Support SOP
- Breach Response Plan and Incident Response Form
Please note that we do not encourage Outsourced DPO approach promoted by many service providers because we believe the organisation needs to be actively involved in promoting the Privacy Culture and ensuring complying with the Obligations through ensuring all the controls put forward are adhered. Thus, for Year One, we will assist the organisation in the setting up and coaching of the Data Protection Committee because this is more sustainable and practical in the long run.
There are many consulting services and law firms providing incomplete PDPA Compliance Services. Their services only provide templated Privacy policy. However, a complete PDPA Compliance requires a proper documentation of the Data Protection Management Programme (DPMP).
The DPMP is a robust documentation containing a whole array of documents required as part of the PDPA compliance implementation.
For more information, please refer to the following:
https://medium.com/@consult_49717/unethical-compliance-cba6895a2a29
https://medium.com/@consult_49717/what-is-involved-in-complying-with-the-pdpa-26a1d3838a25