What are the common Data Protection mistakes by Non-Profit Organisations?

A non-profit organisation is usually set up for cause that benefits the wider community and is usually not quantifiable by monetary gains hence, not profit driven. E.g., providing services to the disadvantaged in society, environment issues, animal rights. These organisations are usually resource strapped and there may be a misconception that data protection requirement is less stringent on them.

The law is impartial and does not state such a difference in treatment. Often organisations that “do good” also collect, use, disclose and store a great deal of personal data, and would be subject to similar risks as commercial, profit-motivated organisations. This is especially in digitised economy where work, transactions and interactions require personal data.

Trend – Common Data Protection mistakes

1. There are increased data breaches following the outbreak of the Pandemic. This is due to the fact that the pandemic situation came quickly giving organisations little time to do the necessary risk evaluation and mitigation measures. The organization-wide data security protocols and firewalls are rendered less effective owing to the sudden Work-From-Home (WFH) model, resulting in far more data breach cases and calls for ransomware.
2. Due to the nascent stage of data protection culture and the unreadiness to implement thorough information-security measures, many organisations were caught flat-footed and had to “make-do” to keep the operation going.  Of the 10 obligations under Singapore's PDPA, the protection obligation was the most commonly breached obligation.
3. Organisations still face a high level of risk in moving their operations online because many of the staff lack awareness and training in data protection. The strength in any data protection management programme is only as strong as its weakest link. To a large extent, untrained staff and lack of awareness leads to callousness and may present a window where breaches can take place.  Regular training, on the other hand, not only helps demonstrate accountability to Data Protection regulators but so also minimizes risks.
4. Part of the know-how would also extend into risk management especially in the area of vendor-management. Many organisations, especially non-profit organisations that lack the in-house expertise make the mistake of thinking that the responsibility is farmed-out when the task is outsourced. The common adage is “One can delegate the task but not the responsibility.” With outsourcing comes risk which needs to be managed.

Ramifications:

The true cost of non-compliance may extend beyond just a financial penalty from the regulator.

From the regulator(s), the following may arise:

a. Fines or Financial Penalty.

In Singapore, fines are intended to act as a form of sanction and deterrence against non-compliance when Directions alone do not sufficiently reflect the seriousness of the breach. In considering whether to direct an organisation to pay a financial penalty, the PDPC will take into account the seriousness of the incident of the breach. In assessing the seriousness of the breach, the PDPC considers the following:

Impact of the data breach, which may be factored by the number of affected individuals and/or types of personal data that were compromised or put at risk as a result of the breach.

• Whether the organisation had acted deliberately.
• Whether the organisation knew or ought to have known the risk/s and reasonable measures to prevent or mitigate it.
• Extent of non-compliance with the obligations guided by the PDPA
• Whether a DPO or equivalent had been appointed to manage a DPMP ensuring accountability with the PDPA.
• Whether it is a repeated breach of the PDPA.

b. Warnings, directions, and undertakings.

In Singapore, it is very much at the discretion of the regulator but 2 important considerations whether the organisation may carry out with then undertaking is when:

• The organisation is able to demonstrate that it has in place accountable practices, for example, a Data Protection Trustmark certified organisation, and is ready to implement its remediation plan; or
• The PDPC is of the view that an undertaking achieves a similar or better enforcement outcome more effectively and efficiently than a full investigation.

Other ramifications of non-compliance which may increase the true cost could include:

c. Breach of Director's Duties and Shareholders Suits

d. Litigation by Individuals

e. Criminal Prosecution

f. Reputational harm/damage Share price

g. Loss of customer & stakeholder trust

h. Remedial expenses

Organisation’s Responsibility

The demonstration of responsibility towards the care of personal data is not just measured by understanding of Legal Clauses. It is measured in the effort invested in mitigating the risk of data breach. This can be seen in efficient implementation using a top-down approach, on-going operational compliance and well as regular training and awareness sessions.

This is required in the organisation where personal data is collected, used, disclosed and stored (CUDS). At every point, the organisation has to have policies and procedures to:

1. Govern
2. Identify and Assess risks
3. Protect the data through a robust DPMP.
4. Sustain the programme, through monitoring, updates and training sessions.
5. Respond to queries/ incidents and have a drawer plan ready.

In short, the “GAPSR doughnut” summarises a Data Protection Management Programme

In setting up the DPMP, the organisation can do it internally through a trained DPO.  This requires the DPO to be well-trained with setting up the DPMP which requires the co-operation of all staff or department handling personal data. There are courses and a training roadmap is available.

No matter how big or small your organisation may be, getting started with a Data Protection as-a-Service (DPaaS) package is a good place to begin your data compliance journey. 

If organisations are still stuck on where to begin, they can do a quick self-diagnostic to assess what it needs on the DPEX Network website. 

Before attempting to tell stakeholders and regulators that it is responsible for the data entrusted to it, the organisation must do its best to operationalise the above data protection measures.

Article By:  Wendy Lim, Info Sec (EXIN), CIPM and Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.