Keynote Speech by Mr Tan Kiat How, Commissioner of PDPC, at the IAPP Asia Privacy Forum 2019 on Monday, 15 July 2019, at the Sands Expo and Convention Centre, Marina Bay Sands
15 Jul 2019
Mr Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong,
Mr Raymund Liboro, Chairman and Commissioner, Philippines National Privacy Commission,
Mr Gopalkrishnan S., Joint Secretary, Ministry of Electronics and IT, India,
Ladies and Gentlemen
A good morning to everyone, and to our international friends, a very warm welcome to Singapore.
I am pleased to join you at the International Association of Privacy Professionals (IAPP) Asia Privacy Forum 2019, and I would like to express my appreciation to IAPP for putting together yet another successful Forum this year.
Celebrating Five Years of Personal Data Protection
2. 2019 marks the fifth year of Singapore’s personal data protection journey. We have learnt a lot and gained much experience over the years, and we are grateful for the strong support from the industry, our international counterparts and many other stakeholders.
3. The last five years have brought with them many changes in the global data landscape. For example, with the proliferation of Internet of Things (IoT) devices, there has been an explosion in the variety and volume of data being generated and collected. This has challenged fundamental assumptions around the notification and consent approaches.
4. Advances in Artificial Intelligence (AI) – particularly its sub-branch, Machine Learning – has generated demand for the aggregation of data from a wide range of sources. There are clear benefits to adopting AI systems. For example, AI-powered functions like anomaly detection can identify fraudulent transactions and protect our payment systems. At the same time, we need to ensure the personal data does not fall into the wrong hands and consumers end up being the target of malicious actors.
5. Clearly, technological advances and data-driven innovation will be crucial to the future Digital Economy. In fact, we expect the pace of change to accelerate. This is why we are reviewing the Personal Data Protection Act (PDPA), ensuring that it is updated and remains relevant for the digital era.
6. One of the important insight that we have gained is that data protection and data innovation are two sides of the same coin, and we have been advocating for trusted data as a bedrock for the digital economy. This belief has also guided our approach to data protection – we are going beyond a compliance-based approach, to a heavier emphasis on the principle of accountability.
7. Amidst a business environment that is constantly disrupted by technology, it is impractical to adopt the approach of a box-checking exercise when handling personal data. Such an approach may also overly constrain businesses in their use data to create value and better service their customers. In fact, a simplistic and rigid approach would do more harm than good in the long term. Therefore, the PDPC has been encouraging organisations to shift their management of personal data from a compliance-based approach, to one that is based on accountability.
8. What do we mean by accountability? Simply put, accountability is exercising responsibility over personal data in your care, and being answerable to the people who have entrusted their personal data to you. Organisations that have demonstrated accountability will provide their business partners with greater assurance, and strengthen trust with customers.
Strategy of Shifting Emphasis from Compliance to Accountability
9. This shift from compliance to accountability started two years ago. Let me make this point clear at this juncture- this is not a change in principle, but a shift in emphasis. In this regard, PDPC charted a three-pronged approach to manage this shift.
10. First, PDPC introduced tools to help organisations that are embarking on this journey. For example, we introduced the PDPA Assessment Tool for Organisations (PATO) and the Guide to Data Protection Impact Assessments (DPIA). Recently, we updated our Guide to Managing Data Breaches; and introduced the Guide to Data Protection by Design for ICT systems, which was jointly developed with our Hong Kong counterpart. In addition, we have made available an open source Personal Data Asset Inventory Tool, the Docukit Data Protection App. This is a RegTech tool that Data Protection Officers may use to map and keep track of how personal data is being managed within their organisation and across all their data touch points.
11. Second, we introduced the Data Protection Trustmark (DPTM) certification system to recognise organisations with sound data protection practices. We piloted our DPTM around this time last year, and the Minister for Communications and Information, Mr S Iswaran, officially launched the Trustmark in January this year.
12. Third, we are amending the PDPA to reflect this shift. We are completing our consultation on the proposed amendments to the PDPA. Besides mandatory breach notifications by organisations to PDPC and their affected customers, we plan to enhance the consent regime, which will require organisations to adopt accountable practices, so as to better support responsible data innovation.
PDPC’s Implementation of Accountability
13. We are making good progress in our pivot to accountability. While the principle of accountability is not new, our approach to accountability takes this principle further.
14. We take three perspectives towards the principle of accountability:
a. First, from the perspective of organisations: Accountability is about getting their house in order, and putting in place data privacy policies and practices tailored for their needs.
b. Second, from the perspective of administering an effective system of data protection: Accountability requires building a set of measures to incentivise the adoption of accountable practices, and to recognise organisations who have done so.
c. Third, from the global perspective: Accountability enables our companies to connect with companies outside our borders who have similar accountable practices, thereby building a trusted network for cross-border data flows.
15. Accountability tools like our guides and Trustmark certification system help and recognise organisations who have implemented accountable practices. Certified companies have shared that attaining the DPTM certification gives them a competitive edge. One such example is TRS Forensics, a Singapore-based risk consultancy firm which recently clinched a contract with a European MNC. It was the only Singapore-based firm invited to pitch. TRS believes that its Trustmark certification enhanced its reputation and credibility.
16. There has also been an increasing demand for third party vendors to demonstrate adherence to a high level of data protection standards. iColumn, a local digital marketing SME that provides customer relationship management (or CRM) platform for shopping malls to run loyalty programmes, is one example of a third party vendor that sees value in the Trustmark. To iColumn, the Trustmark assures its clients that personal data and shopping behaviours logged in its CRM are secured with sound and accountable data protection practices.
17. Organisations like TRS Forensics and iColumn are on the right track. In a 2018 PDPC Perception and Awareness Survey, 2 in 3 respondents indicated that they would prefer to purchase from DPTM-certified companies. We encourage more organisations to apply for the Trustmark.
18. We are also making changes at the broader systems level. We have established a set of measures, known as the Active Enforcement Framework, to maximise our investigative resources. The Framework recognises organisations that have adopted accountable practices. It motivates organisations to develop and implement accountable practices in two ways.
19. First, accountable organisations with an effective internal monitoring and notification system will have early detection of data incidents. If a data breach is confirmed, they will be ready to implement their breach management plan. What they appreciate most is not the threat of protracted investigations hanging over their heads, but to be given the opportunity to implement their breach management plan. Such organisations may come to the PDPC with an undertaking. The undertaking will be accepted if it achieves similar or better enforcement outcome than a protracted investigation. If they are able to implement their breach management plan as scheduled, and it is implemented effectively, there will be no need to commence protracted investigations.
20. Second, clear-cut data breaches can and should be brought to a conclusion swiftly. We did not have this option before, but organisations now have the option of requesting for an expedited breach decision. They have to admit to a breach of the PDPA, and they have to assist PDPC in reaching a swift decision. This allows accountable organisations to conduct themselves with dignity and act responsibly. They do not have to be wary that statements made to customers may exacerbate pending investigations by PDPC. They can adopt a consistent stance in all communications and actions. This exemplifies accountability to customers, business partners and the regulator. This also has the benefit of allowing such companies to quickly put the episode behind them and for PDPC to channel investigation resources to other priorities
Global Perspective - Trusted Network for Cross-Border Data Flows
21. Accountability will also set us up for easier cross-border data flows. We are in the final stages before full participation in the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP). This is a system premised on accountability. It creates a trusted network of accountable organisations in participating APEC economies and allows personal data to flow within this network more seamlessly. Announcements on this topic will be shared later in the week.
From “Openness” to “Accountability”
22. To pull together all that we have done to promote accountability as a data protection obligation, I am pleased to announce the launch of the Guide to Accountability. The Guide explains the principle of accountability and sets out how we have implemented this in Singapore. It covers accountability in three broad areas – within an organisation; within industry; and in enforcement. In addition, the Guide includes examples and resources that organisations may use to translate accountability concepts into practical steps they can adopt. Along with this Accountability Guide, we are also revising relevant sections in our Advisory Guidelines.
23. PDPC will also be making this shift clearer by recognising Accountability as one of the obligations in the PDPA. From today, we will revise the current “Openness Obligation” to the “Accountability Obligation”. This will provide clarity on the PDPC’s interpretation of accountability in relation to Sections 11 and 12 of the PDPA. This revision to our nomenclature reflects our developing maturity in data protection and supports impending amendments to the PDPA that will further embed accountable practices.
Growing Importance in a DPO’s Role
24. Last but not least, I would like to emphasise the growing importance of a DPO. An effective DPO is a crucial asset to his organisation. Besides ensuring compliance with the PDPA, he can do much more. To build an effective data protection ecosystem, we believe that DPOs have to be properly empowered, equipped with the right skills, and attain the right level of proficiency at each stage of our career path. The PDPC looks to you as partners and champions for a robust data protection environment. We will share more information on how we are supporting DPOs on your development later this week.
25. On this note, I thank you for your attention and look forward to engaging with you over the course of this week.