Most Data Protection Officers preparing their businesses to comply with Singapore’s Personal Data Protection Act (PDPA) from July 2014 will be focused on ensuring the right processes are in place to handle personal data in line with the new regulations.
But focusing on processes alone is not the best way to minimize and manage risks around non-compliance. It promotes a ‘tick box’ mentality – where incidents of non-compliance only emerge when a formal audit takes place – and leaves organisations without the means to pick up and correct errors as they happen or to anticipate and prevent future breaches of procedure.
To be able to demonstrate ‘care of data’ as required by the Act, businesses need to look beyond processes and focus on two additional areas: culture and governance, and technical controls. This more comprehensive, three-pronged approach reinforces data security dramatically and gives businesses far greater assurance that they are compliant.
Align personal data handling processes with compliance requirements
A review of data handling processes is still the right starting point for developing a robust programme for compliance. This is the first area the regulator’s audits are likely to address, so organisations need to:
- understand how personal data is used
- identify misalignment or gaps against PDPA compliance
- update policies accordingly.
Embed personal data protection into organisational culture and governance
The regulator will be looking for evidence that people handling personal data understand what the law requires of them and what their employer expects of them. Without this understanding, data protection is seriously undermined, so organisations need to:
establish role-based accountability for personal data protection
promote awareness of responsibilities at corporate and individual level
provide regular training and communications
create a regime for verifying compliance.
Impose robust controls for data protection and information assurance
Threats to personal data can come from two sources – internal (the organisation’s own employees) and external (cyber criminals). A robust strategy establishes controls to protect data on both fronts. Organisations need to:
- create plans for managing cyber security and information systems
- manage and control access to, and use of, information systems
- use penetration testing to ensure cyber security
- create monitoring, audit and reporting systems.
PA’s track record of working with regulators internationally and of advising major organisations in many sectors on regulatory matters makes us well placed to support businesses in Singapore with their preparations for PDPA.
To find out why we are the right team to help you achieve PDPA compliance, contact us now, contact us now.