PDP Week 2021: Driving a data-driven culture

The Personal Data Protection Commission (PDPC) of Singapore organised Personal Data Protection (PDP) week 2021, from 14 to 17 September 2021, with the theme of Driving a Data-Driven Culture.

During the four-day event, the PDPC made several announcements, including new and updated free resources to help organisations strengthen their data protection measures, and the launch of the Better Data-Driven Business programme by the Infocomm Media Development Authority (IMDA) and PDPC, to help SMEs gain deeper consumer insights and scale up their businesses through responsible use of data.

Josiah Poh, Straits Interactive’s Data Protection Officer (DPO) and Senior Manager of Consultancy and Legal, reviews the announcements and shares his analysis in the following video:

Key takeaways from PDP Week 2021

1. An “assume breach” data protection posture

A data breach is assumed as it is not a matter of if the breach will happen, but when the breach will happen. This is something that PDPC has mentioned previously in other events that they have held. Since a data breach is assumed, there is a need for organisations to prepare themselves and respond in the event of the breach.

In February this year, the data breach notification obligation went into effect, hence it is vital for companies to have their data breach plans in place. Penalties will be higher from next year onwards.

Likewise, data protection isn't the sole responsibility of the DPO; it is a shared responsibility across the organisation. There is a need for good internal handling. You need to resolve the situation with your data subjects quickly and amicably. PDPC should be the last to be called into the process.

2. New/revised guides published through PDPC, on the following topics:

• Data Protection Management Programme (DPMP)
• Data Protection Impact Assessment (DPIA)
• Data Protection Practices for ICT Systems

Revised guides on DPMP and DPIA

The PDPC has updated their “Guide to Developing a Data Protection Management Programme” to incorporate best practices in accountability to support organisations' personal data protection policies and processes.

One of the revisions is the switch from a 3Ps - policy, people, process - approach to a new four-step framework: governance and risk assessment policies, policies and practices, processes and maintenance.

The competency roadmap that PDPC introduced for DPOs is now included in the guide, which also makes clear that Data Protection Trustmark (DPTM) certification can be seen as part of maintenance or a form of an audit.

Find out how to create an effective Data Protection Management Programme through our course here.

The PDPC has also updated their “Guide to Data Protection Impact Assessments”, to align with new obligations under the updated Personal Data Protection Act (PDPA).

There remains a six-phase process for DPIAs, for which there has been no change:

1. Assess need for DPIA
2. Plan DPIA
3. Identify data and personal data flows
4. Identify and assess data protection risks
5. Create action plan
6. Implement and monitor an action plan

One change to note is in the questionnaire within the annex of the DPIA guide, which has been updated with a data breach protection section. The new questions relate to data breach policy, standard operating procedures, communication plans to affected individuals and the PDPC, as well as remediation plans. Risk assessment remains unchanged.

Learn more about how to implement Data Protection by Design (DPbD) and Data Protection Impact Assessments (DPIA) in your processes here.

New guides on best practices for ICT systems

The new “Guide to Data Protection Practices for ICT Systems” and “Checklists to Guard Against Common Types of Data Breaches” are now available on the PDPC website.

The guide has been compiled from past PDPC advisory guidelines and guides on data protection practices, lessons learned from past data breaches, and basic and enhanced practices that can be incorporated into organisations’ ICT policies, systems and processes. This also helps to provide more visibility of what is required from an IT or system’s perspective.

In addition, there are two checklists, in editable document format, to help organisations establish and review policies, technology controls and processes, in order to avoid mistakes that frequently lead to data breaches.

Discover information and cybersecurity from a management perspective with the Information & Cyber Security for Managers – EXIN Certification.

Article by: Yong Shu Chiang, Steffi Tay (GRCP)

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.