Keynote Speech by Mr Yeong Zee Kin, Deputy Commissioner of PDPC, at the IAPP Asia Privacy Forum on Monday, 24 July 2017, at the Sands Expo and Convention Centre, Marina Bay Sands
24 Jul 2017
Ms Rona Morgan, IAPP Managing Director of Asia,
Our Philippine counterpart, Commissioner Raymund Liboro from the National Privacy Commission,
Fellow personal data protection and privacy colleagues,
The Evolving Role of Data Protection Officers
1. It is my privilege to be able to again address my colleagues and comrade at arms in personal data protection. It is almost a year to the day that I last stood before you and shared PDPC’s view of how a robust personal data protection regime is not inimical, but can contribute positively to, the innovative use of data. Since then, we have done our best to strike the right chord, by ensuring that we provide advisory guidelines and practical guidance to clarify ambiguities, so that businesses can make commercial decisions effectively. In this vein, we have issued updates to our anonymisation guidelines to clarify that we take a risk management approach to this topic; and we published a redacted version of a practical guidance on how the research exception ought to work, so that we can make better use of the data we have on hand to make better decisions and improve the services we provide to our customers.
2. The conscientious follower of our website will know that we have also been active in enforcement, taking firmly in hand any organisation that breaches the PDPA. I am told that our frequency of enforcement makes the PDPC one of the most active data protection authorities in the world. Is this level of enforcement warranted? We believe so. Data is such a valuable commodity that if it is not handled with care, it may negatively impact businesses such as through the disruption of business operations, the loss of reputation, loss of customer trust, loss of business opportunities and the diversion of time and resources to deal with costly data breaches. We keep a close eye on the type of breaches that come up before us. A majority of the data breaches in Singapore have been due to the lack of data protection policies and poor IT security measures. Lately, we have observed another emerging trend – the lack of training.
3. The casual reader of our website resources may go away with the impression that it is all bad news and data breaches. But not all is doom and gloom. Conversely, there are other cases where we have found that an organisation had acted responsibly, such that even though there was a data breach, the company was let off. One such case involved the real estate agency, CBRE. Documents containing personal data of its customers were retrieved from the garbage area of an office building. Our investigations found that CBRE had implemented reasonable data protection policies and practices. They also conducted regular training for their employees and set out specific guidance on disposing of confidential information. Furthermore, they adopted policies in relation to information security and communicated them through the Code of Conduct and Employment Handbook. As such, PDPC decided that the agency had conducted its affairs reasonably and appropriately. CBRE was not found to be in breach of the PDPA.
4. This case bespeaks the crucial role of the Data Protection Officer. A DPO who carries his role well is an asset to his organisation. He ensures compliance with the PDPA, but he can do so much more. We plan to share positive examples where a DPO was able to demonstrate that his organisation had in place the right set of data protection policies, had adopted the right culture and practices, and was able to show that his organisation was accountable to its customers for the care of their personal data. An organisation that is accountable may well avoid a finding that it has breached the PDPA even though there had been a data breach.
5. There are exciting plans that we will be unveiling at PDPC’s annual Personal Data Protection Seminar later this week encircling the topic of accountability. I look forward to seeing my fellow DPOs at the seminar. I hope too, that guests to our country will linger for a little while and be able to hear first-hand the announcements that we have lined up. Today, for this audience, I share the amuse-bouche, to whet your appetite, and speak a little about the evolving role of the DPO in accountability and how PDPC plans to help us all make that change.
6. Our emphasis on the crucial role played by DPOs within an organisation echoes global developments. The EU General Data Protection Regulation (GDPR), for example, acknowledges the value of “privacy on the ground” by mandating the appointment of a DPO for all public authorities as well as private organisations that handle personal data on a large scale. With the EU GDPR placing greater emphasis on the role, the importance of the DPO is set to grow. Over here in our little red dot, we had already foreseen how crucial the DPO is to an organisation and have mandated that every organisation appoints a DPO since PDPA was enacted back in 2012.
DPOs’ Role in Accountability
7. An organisation that wishes to be effectively accountable to its customers for the personal data that it holds has to begin the transformation from within. The direction and impetus must come from the top: the board of directors and the CEO. With strong management support, the DPO can be empowered to bring about the changes that are necessary. Ideally, he should be part of the management team because he has a mammoth challenge. The least of his tasks is the introduction of policies that are customised for his organisation. After that, he must communicate these policies and ensure that business processes across the organisation are reviewed and updated, to ensure that the right practices are adopted. He must put in place a training programme, so that all of his colleagues who have to deal with personal data in the course of their work are aware of the new policies and practices. Beyond this, his greater challenge is to help them internalise the need to adopt a culture of respect for their customer’s personal data.
8. These are not one-off tasks that the DPO checks off. The DPO has to be engaged in all the right conversations within the organisation, so that he is able to bring with him the best data protection advice, and contribute to creating the solutions that his organisation needs in order to improve its quality of service. The DPO cannot be a road block. He has to be a pathfinder. He has to equip himself with the right knowledge and tools to be able to contribute positively and help his colleagues achieve his organisation’s goals. At the same time, he is the referee and the lines man. He has to ensure that there are no breaches of the PDPA.
9. We place the DPO at the centre of our plans because we see the DPO as the catalyst. Our plan is simple. First, a DPO needs to be equipped with data protection know-how. Training is essential. Next, a DPO needs access to guidance, tools and help so that he is able to carry out his role effectively. Finally, a DPO cannot function alone but must plug into a larger network of like-minded persons. We need to place DPOs in communities of practices wherehe may seek out others who face similar challenges to share experiences and solutions.
Strengthening DPOs’ Capabilities
10. With regards to training, PDPC understands the need to equip DPOs with deep knowledge and skills. The DPO is a career path and we hope to professionalise it by lifting the level of training and discourse. We have been rolling out initiatives to do just that:
a. Sector and Industry Briefings. PDPC works with at least 67 trade associations, chambers of commerce and professional bodies to reach out to organisations. We conduct numerous sector specific briefings to help DPOs understand how the PDPA applies to their industry and share lessons that we pick up through our enforcement actions. We have so far reached out to more than 29,800 individuals from more than 10,000 companies.
b. Online Learning. PDPC also has a popular e-learning programme. It has served over 20,000 website visitors and has been a useful resource for organisations that want their employees to acquire a basic understanding of the PDPA. The e-learning Corporate Account feature was launched in August 2015. Since then, more than 13,000 employees from 100 organisations have benefitted from the complimentary online training.
c. PDPC’s Two-day Fundamentals of the PDPA Course. To equip new DPOs with basic knowledge and skills in complying with the PDPA, PDPC had developed a two-day course on the Fundamentals of the PDPA. Since its inception in June 2014, about 5,000 attendees have benefitted from the course with the number of attendees growing every year. In the last 12 months, from July 2016 to June 2017, there were almost 1,000 attendees. That is a 30.2 per cent increase from the same period in the previous year.
d. Partnership with IAPP on an Advanced Course. PDPC aims to further enhance the capabilities and professionalise the role of the DPO in organisations. To do so, PDPC and IAPP are working together to equip DPOs beyond basic principles of the PDPA to provide practical data governance and data protection skills.
Helping and Guiding DPOs
11. Next, I turn to share some of our plans to provide help and guidance to DPOs. PDPC recognises that DPOs may be at varying levels of implementing personal data protection measures in their organisations. Many, in particular Small and Medium Enterprises (SMEs), may struggle to find resources. On this front, we have exciting announcements to make at our PDP Seminar. I think that we are entertaining last minute registrations, for those of us who have not already signed up.
12. The new initiatives that we will be announcing complement existing resources we have rolled out in the past year:
a. Advisory Guidelines, Practical Guidance and Guides. The PDPC develops advisory guidelines, practical guidance and guides to help organisations understand how to operationalise personal data protection measures. I have mentioned the updates to the anonymisation guidelines and the practical guidance on the research exception earlier. In 2016, PDPC rolled out several guides on topics that include the securing of personal data in electronic medium, building websites for SMEs, disposal of personal data in physical medium and the handling of access request.
b. Financial Assistance. To help organisations with funding support when implementing their data protection initiatives, PDPC collaborated with SPRING Singapore in August 2016 to help SMEs tap on SPRING’s Capability Development Grant (CDG). The grant can be used to defray up to 70 per cent of qualifying upgrading project costs. This includes consultancy and training services, assessments and audits, and can also be utilised to defray the costs of adopting software solutions.
c. Virtual Assistant “Ask Jamie”. In March 2016, PDPC launched an automated 24/7 virtual assistant. Utilising natural language processing to decipher questions and provide suitable responses, Jamie adds a human touch to interactions with users who visit the PDPC website for quick answers.
Forging DPO Networks
13. Finally, the third limb of our strategy. Placing DPOs within communities of practices. Besides strengthening a DPO’s capabilities and equipping them with the right skills and tools, forging DPO support networks is important. DPOs need peer-to-peer assistance, and the opportunity to exchange ideas, support one another, discuss challenges and opportunities, and encourage thought leadership within the DPO community. This helps to gather and nurture a pool of quality DPO professionals:
a. Forming of Communities of Practices for DPOs. To help encourage this, PDPC is supporting the formation of Communities of Practices for DPOs. This year, PDPC has been reaching out to trade associations and chambers of commerce, encouraging them to create networking opportunities for DPOs in various sectors. The PDPA applies to the entire private sector and we need a multiplicity of communities. Each sector faces a different set of data protection challenges and has to craft a customised solution for itself. We are only just starting to roll out this new initiative. PDPC plans to co-organise sector-specific DPO engagement and networking sessions. Through these sessions, we hope to encourage DPOs to step up as champions to further the cause. We also encourage ground-up initiatives such as the formation of informal networks of DPOs. We hope DPOs who are active thought leaders, will form associations or societies to help become drivers of personal data protection for their sectors. There is room for different communities and if you do form up, please get in touch with us. PDPC would like to connect and work with you.
b. Encouraging Champions of Personal Data Protection (Case Studies). PDPC has been engaging various companies every year, to share good data protection practices and to be advocates of personal data protection. Their sharing helps other organisations who are starting their own personal data protection measures. In 2016, a collection of stories on good data protection practices was published in a special booklet. PDPC also put together a four-part info-education TV series based on eight of these stories. Called “Your Personal Data, Our Responsibility”, the series, which was broadcast in English and Mandarin on free-to-air channels, reached 2.3 million viewers.
Conclusion
14. These are exciting times for the Data Protection Officer in Singapore and in Asia. And this is the start of a busy week. I have shared my views on how the role of a DPO is evolving. In such changeful times, training and discourse amongst DPOs are absolutely crucial. This is the reason why we have changed the format of our annual PDP Seminar. It will now expand into a full day event with three concurrent workshops in the afternoon. The workshops are intended to focus on practical issues and we hope they will be a little more hands-on and interactive. But the overwhelming response we have received thus far might make that a bit challenging for the workshop facilitators.
15. This week, we are also co-hosting a workshop with Japan’s Ministry of Internal Affairs and Communication. The workshop provides a forum for our ASEAN counterparts to share data protection experience and exchange notes. So even as we encourage DPOs to form communities of practices, the PDPC is also leading by example! As the personal data protection authority for Singapore, we look forward to working with DPOs and help level up and professionalise our cadre of DPOs, as well as forge networks of DPO professionals that will perhaps one-day grow beyond our shores.
16. I thank you for your attention and patience, and wish everyone a fruitful forum over the next two days.
Tags: