As part of its continued efforts to protect both individuals and corporations from data theft, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore have launched an online consultation of the Personal Data Protection (Amendment) (PDPA) Bill 2020.
At the risk of sounding alarmist, the PDPA could have drastic consequences for organisations found to be non-compliant or negligent in their data security duties, resulting in financial penalties of tens of thousands of dollars.
To help you navigate this new compliance issue, we’ll go over the basics of the PDPA, how you can comply with it, and how your company can actually become an industry leader in data protection with the Data Protection Trustmark Certification (DPTM).
First, let’s go over the basics of data breaches, and what they usually look like in a real-world setting.
Read also: How to protect your business from technology risk
What is a Breach of Personal Data?
In essence, a data breach is when an incident occurs that exposes personal data that was supposed to be in the secure and private possession of an organisation. The data can then be exposed to the collection, use, unauthorised access, copying, modification, loss, or disposal.
Data breaches may not be intentional and/or with criminal intent, but they can be due to human error or computer system error.
The end result, no matter the cause, is a breach of trust and security for the affected individual, as well as serious ramifications for the organisation in terms of employee and consumer trust.
Real-world examples are:
- A company’s dividend cheques were sent to outdated addresses, exposing their personal data such as their names, NRIC, and the value of their holdings.
- An individual looked up their own NRIC, only to find that she could access an open excel spreadsheet containing sensitive personal data, such as NRIC data and email addresses.
Those situations did in fact occur in Singapore over recent years, and both resulted in large financial penalties in the tens of thousands of dollars.
What Is the PDPA?
The PDPA is the Singapore Government’s main shift towards transparency when it comes to data breaches within any given organisation. The central focus of the PDPA is mandatory data breach reporting, which will create a fundamental paradigm shift in the way that every organisation in Singapore operates when it comes to data protection and security.
With the PDPA, the Personal Data Protection Commission (PDPC) of Singapore is creating guidelines and rules that encourage all Singapore-based organisations to create risk-based internal monitoring of their data security systems, and increase openness when it comes to any and all data breaches.
How Does a Company Comply With the PDPA?
As mentioned above, the central tenet of the PDPA is to put systems in place that creates an organisational culture of complete transparency in terms of data breaches.
There are two main incidents that would require an immediate report of a data breach:
- When a data breach is likely to result in, or does in fact result in significant harm to an exposed individual through the breach of personal information.
- When a data breach affects more than the minimum number of affected individuals that would suggest there is a systemic data security issue within an organisation. While no number has yet been set, the Personal Data Protection Commission has suggested 500 people.
At this point in time there are no classes, or levels of personal data breaches, however it is expected the PDPC will create them in the future. For example, the breach of a personal credit card number would likely be treated more seriously than a breach of a personal email address.
Once a data breach is discovered, the PDPC suggests following their C.A.R.E. model:
- Contain the breach to prevent further data compromises.
- Assess the data breach by gathering facts and measuring risks, including the harm to the exposed individual/s.
- Report the Data to the PDPC and/or the affected individual/s.
- Evaluate the organisation’s response to the data breach and create systems to mitigate similar breaches in the future.
If you would like to know more, you can read the PDPC’s full Guide to Managing Data Breaches.
How to Lead Your Industry With DPTM Certification
With these sweeping new changes to data security, the Singapore Government has recognised the need for education in terms of organisational transparency and compliance.
With that comes the Info-comm Media Development Authority of Singapore (IMDA) launching the Data Protection Trustmark Certification (DPTM), which can be received by almost any Singapore-based organisation.
By receiving the DPTM, an organisation can demonstrate to the public their proficiency in data protection, provide a competitive advantage over other organisations, and improve consumer confidence.
There is of course a process for applying for the DPTM, which starts with preparing the Entity Profile with supporting documents for the DPTM certification. The organisation is then given a self-assessment form for completion. Once that is done, the organisation can approach an IMDA approved Assessment Body (ABs) for a quote on any assessment fees. After the organisation has chosen and appointed its AB, they can then submit their self-assesment to that AB.
The AB will follow up with an on-site visit of that organisation to start the DPTM certification process, looking at four major standards:
- Management of Personal Data
- Governance and Transparency
- Individuals’ Rights
- Care of Personal Data
If the AB finds anything of worry, the organisation has around two months to rectify said non-compliance. Once approved, the organisation will be informed by the IMDA, and receive its certification.
Conclusion — moving forward with PDPA transparency and DPTM Certification
This is absolutely a new world we are moving into, and the landscape is far from familiar when it comes to governmental compliance in terms of data security.
Thankfully, we’re very proud to say our team of data and compliance experts have been working very hard to be on the cutting edge of these developments, and they are looking forward to sharing their proficiency with you as a responsible organisation.
As an added bonus, we may also be able to help you reduce or even completely waive your DPTM , as there are several exemptions for SMEs and NPOs. If you’d like to know more about this, please talk to us, as things can change here.
If you have any questions about complying with the PDPA, or securing your DPTM certification, we would encourage you to reach out to us for some no obligation advice — we are here to help.
FAQs
It’s been over five years since data became the most valuable commodity on the planet, surpassing oil. It will come as little surprise then, that breaching data, has become an extremely lucrative global criminal industry in and of itself over the years. Organisations should be more aware and take extra precautions to prevent any breach of data.
A data breach is when an incident occurs that exposes personal data that was supposed to be in the secure and private possession of an organisation. The data can then be exposed to the collection, use, unauthorised access, copying, modification, loss, or disposal.
Once a data breach is discovered, the PDPC in Singapore suggests organisations to follow their C.A.R.E. model:
- Contain the breach to prevent further data compromises.
- Assess the data breach by gathering facts and measuring risks, including the harm to the exposed individual/s.
- Report the Data to the PDPC and/or the affected individual/s.
- Evaluate the organisation’s response to the data breach and create systems to mitigate similar breaches in the future.
Thankfully the Info-comm Media Development Authority of Singapore (IMDA) has launched a Data Protection Trustmark Certification (DPTM), which can now be received by almost any Singapore-based organisation.
By receiving the DPTM, an organisation can demonstrate to the public their proficiency in data protection, provide a competitive advantage over other organisations, and improve consumer confidence.