The Personal Data Protection Act (PDPA) is a law that governs the collection, use and disclosure of personal data by all private organisations in Singapore. The Act came into full effect on 2nd July 2014.
Companies that handle personal data from Singapore are responsible for lawful processing under Singaporean law. The transfer of personal data outside of Singapore is regulated, and the PDPC is the main enforcing authority.
As more and more companies adopt policies to be compliant and competitive, it is only a matter of time before companies of all shapes and sizes adopt data protection policies and work toward compliance.
To be compliant with the law, there are several steps to take.
Step 1 – Appoint a Data Protection Officer
Foremost, in accordance with section 11 of the PDPA, companies need to appoint a Data Protection Officer. The data protection representative will help management develop policies, programs, and training for employees to comply with the PDPA. The DPO will also keep the management informed of changes to the regulations and issues on the ground.
Step 2 – Understands the PDPA Obligations
Secondly, company founders and directors need to understand their obligations under the PDPA. Currently, there are 10 obligations with the latest one added on the 1st Oct 2022. With an understanding of the obligations, management can then have a better appreciation of the PDPA and the necessary actions to take.
Step 3 – Develop a Data Protection Policy
Thirdly, section 12 of the PDPA requires companies to develop policies and processes to meet the obligations under the PDPA. These policies and procedures will form the baseline of personal data practices within the company. They would then need to be communicated to all staff to ensure compliance.
Step 4 – Develop a Information Security Policy
We are now living in the information age.
Companies today are increasingly adopting technology to go digital and establish an online presence. While the adoption of technology makes things more efficient and convenient. It also exposes us to cybercriminals who want something from us.
To remain safe and compliant, technology is employed to help fulfill certain obligations of the PDPA. They serve as controls to provide protection, alert, and audit trails for documentation purposes. Hence, an information security policy is necessary to augment personal data protection practices within the organisation.
Step 5 – Develop a Data Protection Program
Without a program to back them up, policies are just text on paper.
A personal data protection program should detail tasks to be done to ensure compliance. Creating a data inventory, understanding data flow, and identifying owners are the baseline of any data protection program. Specific areas such as consent, notification, personal data request, handling of personal data, complaints, and data breaches need to be covered in the program. Regular testing and rehearsals should be conducted whenever possible.
Step 6 – Employee Awareness Training
To empower employees from becoming victims to defenders of the organisation, it is crucial for them to familiarize themselves with company policies and best practices. Hence, regular training and assessment need to be done to keep every employee on their toes.
Step 7 – Regular Audit and Update
Finally, as new threats and new ways of working emerge, there will be changes in the way we do things. Hence, regular audits are necessary to fine-tune any process. New discoveries need to be updated in the respective policies to keep them current and relevant. Personal data regulations are not about to go away any time soon. In fact, its adoption by companies will increase. As companies become more aware of their obligations, they may require their business partners to implement PDPA-compliant policies and processes. Any failure to adopt such practices could result in a personal data breach on their end. The fallout may affect the companies that are the data controllers. This could lead to bad press, loss of revenue, and for some even their jobs.
If you need help in any way on your data protection journey, do drop us a note.