This week, the Commission has published three Voluntary Undertakings. 

The incidents involved a ransomware attack, an unauthorised database access due to misconfigured security settings, and an erroneous email disclosure of personal data. Common contributing factors included inadequate access controls, improperly configured database permissions, and the absence of operational safeguards when handling sensitive personal data.

 

To address these issues and improve data protection practices, the organisations will be implementing a range of remediation measures, including:

• Enforcing multi-factor authentication and conditional access policies for remote and cloud-based services
• Obtaining CSA Cyber Essentials certification and conducting external security audits
• Configuring row level security for databases with appropriate roles and permission
• Password-protecting email attachments containing sensitive personal data and introducing email verification checklists for staff
• Appointing a Data Protection Officer, developing and implementing data protection policies and consent processes

The PDPC has accepted these Voluntary Undertakings after considering the types of personal data affected, the circumstances surrounding each incident, and the organisations' readiness to implement their remediation plans to meet their obligations under the PDPA.

 

Access the Voluntary Undertakings.