Companies that handle personal data from Singapore are responsible for lawful processing under Singaporean law. The transfer of personal data outside of Singapore is regulated, and the PDPC is the main enforcing authority.

As more and more companies adopt policies to be compliant and competitive, it is only a matter of time before companies of all shapes and sizes adopt data protection policies and work toward compliance. 

To be compliant with the law, there are several steps to take. 

Step 1 – Appoint a Data Protection Officer

Foremost, in accordance with section 11 of the PDPA, companies need to appoint a Data Protection Officer. The data protection representative will help management develop policies, programs, and training for employees to comply with the PDPA. The DPO will also keep the management informed of changes to the regulations and issues on the ground. 

Step 2 – Understands the PDPA Obligations

Secondly, company founders and directors need to understand their obligations under the PDPA. Currently, there are 10 obligations with the latest one added on the 1^st Oct 2022. With an understanding of the obligations, management can then have a better appreciation of the PDPA and the necessary actions to take. 

Step 3 – Develop a Data Protection Policy

Thirdly, section 12 of the PDPA requires companies to develop policies and processes to meet the obligations under the PDPA. These policies and procedures will form the baseline of personal data practices within the company. They would then need to be communicated to all staff to ensure compliance. 

Step 4 – Develop a Information Security Policy

We are now living in the information age.

Companies today are increasingly adopting technology to go digital and establish an online presence. While the adoption of technology makes things more efficient and convenient. It also exposes us to cybercriminals who want something from us.  

To remain safe and compliant, technology is employed to help fulfill certain obligations of the PDPA. They serve as controls to provide protection, alert, and audit trails for documentation purposes. Hence, an information security policy is necessary to augment personal data protection practices within the organisation. 

Step 5 – Develop a Data Protection Program

Without a program to back them up, policies are just text on paper.

A personal data protection program should detail tasks to be done to ensure compliance. Creating a data inventory, understanding data flow, and identifying owners are the baseline of any data protection program. Specific areas such as consent, notification, personal data request, handling of personal data, complaints, and data breaches need to be covered in the program.  Regular testing and rehearsals should be conducted whenever possible.  

Step 6 – Employee Awareness Training

To empower employees from becoming victims to defenders of the organisation, it is crucial for them to familiarize themselves with company policies and best practices. Hence, regular training and assessment need to be done to keep every employee on their toes. 

Step 7 – Regular Audit and Update

Finally, as new threats and new ways of working emerge, there will be changes in the way we do things. Hence, regular audits are necessary to fine-tune any process. New discoveries need to be updated in the respective policies to keep them current and relevant. Personal data regulations are not about to go away any time soon. In fact, its adoption by companies will increase. As companies become more aware of their obligations, they may require their business partners to implement PDPA-compliant policies and processes. Any failure to adopt such practices could result in a personal data breach on their end. The fallout may affect the companies that are the data controllers. This could lead to bad press, loss of revenue, and for some even their jobs. 

If you need help in any way on your data protection journey, do drop us a note.

The information security policy is gaining importance as more and more of a company’s internal processes become digitized, and outsourced. As a company relies more and more on automation, more software applications are onboarded into a company, the risks of a cyber incident increases . This would un-nerve stakeholders like bankers.

With an information security policy, it gives assurances to external stakeholders the management’s commitment to in mitigating against a cyber attack and data breach. Even if you are a small business owner, having an information security policy is needed to document what you have in place to safeguard confidential data, especially private personal data.

The trend of employees working remotely also adds to the risks of a cyber incident. Sometimes, users would be working over 3^rd party networks, whose security could be lacking. While transmitting unsecurely on these 3^rd party networks, they run the risk of being compromised through a “man in the middle attacks”.

In the last few years, many countries across the world have been erecting privacy laws to protect the privacy of its citizens.

In the event of a data breach, there will be an investigation by the regulators. One of the things they would request is the company’s information security policy. The existence of an information security policy will provide the regulators with an idea of the management’s commitment of taking cybersecurity seriously. If a information security policy is lacking, the company runs the risks of attracting a hefty fine.

Just like any other policies in the company, understanding the content of the information security policy should be made mandatory. Every employee should comply with it to insulate themselves and the organization against regulatory fines and civil suits.

With the increased chance of a cyber incident, companies need to start preparing themselves for one. Careful consideration of how to defend and respond to one is more important than ever. The information security policy is an excellent place to start in improving a company’s cyber posture.

We can help in drafting one for your organisation, shall we have a conversation?

Today the Internet plays a crucial role in businesses. The Internet has gone from just being a communication platform to one where transactions are made daily. Along with the latter, personal data like credit card details are indiscriminately captured, manipulated, and even sold.

Governments all around the world are stepping in to protect the privacy of its citizens. Besides internal corporate policies and business legal documentation, regulators are introducing requirements for companies to have policies and documented procedures to safeguard personal data of their users.

Below is a list of policies that generally all corporate and online vendors should have on their website and internally within their organization.

On every website, below are some baseline policies you would want to include on your website. The first three would be a requirement by law.

• Cookie acceptance bar

• Cookie policy

• Privacy policy

• Terms of Use

Within an organizational, the following internal policies would supplement the above policies.

• Human resource policy

• Information security policy

• Data Privacy policy

If you are running an eCommerce business, you might further need to have the following policies

• Listing policies

• Payment policies

• Refund policy etc.

Do note the above list is not exhaustive as each industry have their own sets of governing regulations which would require them to take domain-specific policies. Take, for example, if you are in the financial sector, you need to further comply with Anti-money laundering policies as required by respective financial regulators.

This post was written to enlighten and help our reader in understanding what some of the legal documentation and policies they need to have in place to safeguard their online presence are. The list outline in this post should not be viewed as the final and complete listing of all policies and legal documentation need internally within the organization or on the website. Ultimately all companies have different business models and offer various services operating in different industries.

We strongly recommend that you check with your legal team or a specialized third-party legal service provider to ascertain what are all the complete set of policies and documentation needed.

Prior to the GDPR, websites would drop cookies onto their visitors’ browsers without their knowledge or consent. However, all that changed with the GDPR legislation. Recital 30 of the General Data Protection Regulation considers cookies as part of personal data. It requires websites to obtain valid consent when collecting personal data from its users. The law now gives its citizens rights over their data.

Why do we need cookies?

Cookies are lines of code that a web server sends out along with the requested website the very first time it is called out by the browser. Once in the browsers, these cookies transmit data like user ID, session ID, and settings, back to the web server. The cookies will remain in the browsers until it gets flushed out through the “clear cookies” action.

Cookies help to improve user experience on the site. They stored information to identify you and provide personalized content and settings.

For example, one of the significant backend applications that use cookies is Google Analytics.  Google Analytics uses cookies to monitor site traffic information and user behavior.

Why do the regulators care so much about these cookies?

Like all things good, cookies can be misused in the wrong hands. While cookies can be convenient for website users, they can turn sinister by tracking and remembering user behavior for monitoring and marketing purposes.

Regulators aim to make users conscious of what they allow, rather than granting marketing companies unrestricted access to collect personal data. Users should be given the opportunity to refuse cookies when they visit a site. Hence, the rise of cookie consent and its management.

How does one be GDPR-compliant with regard to cookies?

For starters, you would need to have a prominent cookie consent banner on the front of your home page. The purpose of the consent banner is to inform your visitors that you are using cookies on your website. The visitor then has a choice of whether to accept and proceed. Should they disagree on the use of cookies, they would not be able to proceed further and have to exit the website.

The banner could be either a pop-up or a banner bar. The bar could be either at the top or the bottom of the page. The pop-up or the banner should have clear and precise information about the purposes of cookies that are placed on the user’s browser. Pre-ticked boxes for cookie consent are now allowed. What regulators would like to see is affirmative action like “accept” or “reject”.

Next, you need to have a cookie policy to inform visitors what cookies are being used on your website and their purpose. This provides visitors with some knowledge and comfort of how their data will be used.

Next, you have to keep a cookie consent log to document cookie consent for proof of compliance in case you come under regulatory scrutiny.

If you need help in implementing any of the above, let’s connect.