Hoi Wai Khin, RSM’s director heading the Data Protection Officers ("DPO") Services joined a panel of specialists to address more than 300 human resource practitioners in the "Empowering a Digital-Ready Business while Ensuring Data Protection" webinar on 18 June 2021.  Organised by the Singapore National Employers Federation (“SNEF”), this event is part of the SNEF In-conversation Series that brought together industry experts to discuss about the latest Personal Data Protection Act (“PDPA”) amendments and how businesses can become more digitally ready and resilient as they transform. 

 

Edwin Lye, Assistant Executive Director, Industrial Relations and Membership of SNEF was the moderator of this event. The event panellists included Toh Hong Seng, Director for Trading, Retail and F&B, Hospitality, and Tourism Industry Groups Cluster, Industrial and Workplace Relations Division of SNEF; Lionel Tan, Partner of Rajah & Tann Singapore LLP; Chong Sieh Fong, Senior Deputy Director (Ecosystem Development and Engagement), Data Innovation and Protection Group of Infocomm Media Development Authority (“IMDA”); and Hoi Wai Khin, Director, Business Consulting of RSM.

 

The Enhanced PDPA & Accountability

Hong Seng kicked off the session by highlighting the new PDPA obligations, exceptions, and provisions that came into force on 1 February 2021.

 

He emphasised the need for businesses to shift towards accountability, stating that “checkbox compliance” is no longer enough in today’s connected and competitive business environment. This helps businesses to thrive in the digital economy by strengthening trust with the public, enhancing business competitiveness, and providing greater assurance to their customers. He went on to advise how businesses can show accountability through:

  • Integrating policies, process and people in their Data Protection Management Programme (DPMP)
  • Building a robust Data Breach Management Plan
  • Embarking on Data Protection Trustmark (“DPTM”) Certification

 

Sieh Fong from the IMDA shared about the library of resources and tools available to help businesses understand their PDPA obligations and stay compliant. These include an eLearning programme, the PDPA Assessment Tool for Organisations (“PATO”), and DPaaS@SMEs (a programme that allows SMEs to outsource their data protection function), just to name a few.  

 

She also stated that the PDPC “adopts a nurturing and educational approach” in managing data-breach cases. When there is a complaint, PDPC does not immediately start investigating and imposing fines but instead look to resolve the case by mediating amongst all parties first.

 

With the growing number of phishing attacks in Singapore, participants were also concerned about the newly introduced penalties for individual offences. Addressing this concern, Sieh Fong clarified that PDPC only seeks to penalise individuals that mishandle personal data (with an ill intent), and not those that fall prey to attacks, for example phishing.  

 

Operationalising Data Protection

Lionel, sharing from a legal perspective, encouraged businesses to look at their business processes to see how best to leverage the new PDPA exceptions and provisions, citing examples on how data can be shared and analysed for fraud prevention or to provide better services to customers across related groups of companies.   

 

Both Lionel and Wai Khin noted that 70-80% of the commission’s decisions arise from the breach of the Protection Obligation because businesses have weak internal controls; for example, not having a strong password or sharing administrative credentials amongst administrators.

 

Wai Khin pointed out that businesses should not equate a data breach to a cybersecurity breach. In addition to cyberattacks, businesses also need to be mindful of malicious insider threats and/or human errors.  

 

Addressing queries regarding the role and responsibilities of a Data Protection Officer (“DPO”), Wai Khin explained that the appointed DPO need not be a full-time personnel. In smaller organisations, it is more common to see double-hatting where the responsibilities of a DPO are added to another job role. He recommended having a DPO team for knowledge sharing and backup, and using a group email address instead of listing individual contacts. 

 

Other useful data protection and compliance tips shared during the Q&A session include:

  • Conducting a data inventory and mapping exercise to improve efficiency and increase accountability 
  • Listing the mobile numbers of the data breach management team, including external service providers, as well as finalising pre-agreed rates well before an incident happens  
  • Developing a fail-safe plan to keep both digital and physical copies of the data breach management plan

 

For a more in-depth understanding of the recent PDPA amendments, and how it can affect businesses and data handling processes, do have chat with us. If you would like to find out how you can get support to simplify your PDPA programme, you can find out more about our DPO2SME service.