Article contributed by RSM Singapore
Announcements of changes to the Personal Data Protection Act (PDPA) that were made in November 2020 are now effective from 1 February 2021. In preparation for the roll-out, RSM Singapore performed a review of our PDPA processes when the announcement was made. The objective was to obtain a qualitative assessment to help us understand the risks and the impact on our organisation arising from the changes.
Below are the key actionable changes that could have an impact on our organisation.
Mandatory Data Breach Notification
Increased Penalties
Enhanced Framework for Collection, Use and Disclosure of Personal Data
Data Portability
Do Not Call Provision
A summary of the assessment is presented below:
| PDPA Amendment | Assessment | Impact on organisation |
|---|---|---|
| Increased Penalties | This is very important to our organisation. It will have a high financial impact if there is any non-compliance. | High |
| Mandatory Data Breach Notification | This is a mandatory requirement. It will impact the entire organisation if there is any non-compliance. | High |
| Enhanced Framework for Collection, Use and Disclosure of Personal Data | Our organisation collects and uses personal data. This will impact our operation if there is any non-compliance. | Medium |
| Data Portability | There is no such requirement in the organisation. | NA |
| Do Not Call Provision | There is no telemarketing activity in the organisation. | NA |
Next, our Data Protection Officer (DPO) assembled the Data Protection Managers (DPMs) from all business units and the IT department to quickly establish a plan to mitigate the risks identified, using the “Now-Where-How” methodology. This methodology helps us to better understand what is and is not working in our business NOW; gain clarity to WHERE we would want to be in the future, and determine the key strategies as to HOW we can reach it.
| PDPA Amendment | Now | Where | How |
|---|---|---|---|
| Increased Penalties | The penalty of up to $1 million is currently being communicated in the annual security & PDPA training for staff. Training on security and PDPA awareness is conducted annually. |
We need to update management and staff of the increased penalty, as this would have a huge impact on our organisation if there is any non-compliance. | We updated our executive committee, senior management, and heads of department of the penalties during the regular management meeting. We sent updates on the increased penalty to all our staff. We also updated our security and PDPA awareness materials. |
| Mandatory Data Breach Notification | We already have a data breach management plan developed since 2020. | Our data breach management plan follows PDPC’s C.A.R.E. framework. We need to update our data breach management plan so that in the event of a data breach, we are able to take the necessary steps to assess if it is notifiable. If the data breach is likely to result in significant harm to individuals, and/or is of a significant scale, we will have to notify PDPC and the affected individuals as soon as we can. |
The DPM of each business unit and the IT department updated our plan and performed a table-top exercise to test the plan. The updated plan was communicated to all staff after the test. |
| Enhanced Framework for Collection, Use and Disclosure of Personal Data | We already have in place a data inventory map. We included the PDPA clauses in our Terms of Business (TOB) |
We need to ensure the respective business units update the deemed consent requirement in their data inventory maps. For some business units, this will help them simplify the process of having to get explicit consent from their clients. We need to update the TOB to include “deemed consent”. |
We worked with our DPMs to update our data inventory maps and informed the DPO accordingly. We worked with our legal team to include the “deemed consent” clause in the TOB. |
| Data Portability | There was no data portability requirement. | No action was needed. | We provided an update in the management meeting to create awareness. |
| Do Not Call Provision | There was no telemarketing activity. | No action was needed. | We provided an update in the management meeting to create awareness. |
Case Study
The same methodology was applied to a Non-Profit Organisation client of ours, whom we helped to be in compliance with the PDPA changes. The following “Now, Where, How” analysis on the client’s data protection programme was similarly performed:
| PDPA Amendment | Now | Where | How |
|---|---|---|---|
| Increased Penalties | The client has established the PDPA policy and engaged an external service provider to provide annual PDPA training for the organisation. | They need to update their management and staff about the increased penalty, as this will have a huge impact if there is any non-compliance. | They worked with their DPO and updated their senior management on the updated penalties. We advised the client to send an update on the increased penalty to all their staff. |
| Mandatory Data Breach Notification | The client has not established a data breach management plan. | They need to establish a data breach management team, develop a 4-step action plan for data breach response (using PDPC’s C.A.R.E. framework), and conduct a table-top exercise to test the data breach response plan. | They involved their Executive Director, HODs, DPO, and IT department as the data breach management team. We assisted their DPO to establish their data breach management plan (using PDPC’s C.A.R.E. framework) and defined the roles and responsibilities of the data breach management team. We also scheduled a session with their DPO to perform a table-top exercise on their data breach management plan. |
| Enhanced Framework for Collection, Use and Disclosure of Personal Data | They did not have a data inventory map in place. | We documented their data assets and process flow using a data inventory map. | We organised a workshop with the Executive Director, HODs, DPO, and IT department to update their data inventory map. We also reviewed and updated the consent requirements on the data inventory map. |
| Data Portability | There was no defined process. | We updated their PDPA policy on data portability requirements. | We reviewed the process and updated the data portability workflow in their PDPA policies. |
| Do Not Call Provision | This did not affect the organisation, as there was no telemarketing activity. | No action was needed. | We provided an update in the HOD meeting to create awareness. |
Other considerations
In the course of our PDPA consulting work, we have also encountered several issues relating to organisational support and culture, as well as process improvement. We would like to share how RSM Singapore addressed some of these issues.
How did we continually engage with our Board of Directors and Senior Management?
We always keep our board of directors and senior management updated on any regulatory changes that would affect our business. Without the support of the senior management team, any data protection regime would fail. We also constantly educate them that personal data protection and/or cybersecurity are business enablers and not obstacles or mere additional costs to our organisation, especially to our clients that handle personal data.
Our management strongly supports and allocates resources to meet our objective of enhancing data protection.
How did we improve our Data Breach Management process?
We have a team comprising representatives from each business unit and the IT department to oversee our data protection regime.
The team performed a gap analysis on the current data breach management and practices. Subsequent steps included updating the data breach management plan as well as other stakeholders from our business units, IT department, and senior management.
The team further discussed and updated the data inventory map and the Business Impact Analysis (BIA) documents to re-identify and reprioritise the personal data based on the changes. We also developed incident scenarios in the desktop data breach table top exercise (TTX). The BIA helped to remind stakeholders of the potential impact a data breach could have on their businesses.
How did we embed a culture of Data Protection within our organisation?
Our management works closely with our data protection team to drive this initiative. While the team ensures the PDPA / Security policies are updated annually or whenever there are changes, our staff are constantly reminded of these policies, requirements, and the impact of non-compliance. We also educate them of their obligations to the Act, citing practical examples in dealing with personal data throughout the course of their employment at RSM.
How did we keep up with the PDPA with limited resources?
There are many resources on the PDPC’s portal, such that an organisation need not necessarily have to reinvent the wheel.
At RSM Singapore, our DPO leverages resources from the PDPC portal. For example, the PDPA Assessment Tool for Organisations (PATO) is a free, online self-assessment tool that provides suggestions and resources that help us improve our data protection policies and practices. This also allows our management to have an idea of the organisation’s compliance status.
Conclusion
Many businesses are not well prepared and/or are unable to keep up with the PDPA regime, due to various reasons. Some of them include inadequate resources and capabilities, weak internal controls, management not assigning adequate priority to data protection, a lack of continual awareness, and reprioritisation of business requirements.
To start, businesses can refer to the PDPC website which provides a wide array of resources to help them keep up and adapt to the ever-changing data protection landscape.
Businesses can also refer to the DPaaS@SMEs programme where SMEs can consider outsourcing their data protection functions in strengthening their data protection capabilities.