December 2017

– 1 –

With an abundance of product and service startups entering the rapidly growing digital economy every year, consumers have no lack of spending choices, making it tough for businesses to differentiate themselves.

On the other hand, with cybercrime and cyberattacks becoming more common, and facts and misinformation becoming harder to determine, consumers have to make spending choices in a more challenging environment.

“Under such climate, consumers will be more inclined to select companies they know they can trust with their data,” said Deputy Commissioner of the Personal Data Protection Commission (PDPC), Yeong Zee Kin.

“Consumer trust is an invaluable asset in the digital economy, which can very easily be lost. With the collection and use of personal data being an essential procedure for many businesses to service their customers, being able to handle the information with

Helping Companies Win the Invaluable Digital Economy Asset

respect and care makes all the difference.” And guiding companies towards achieving the trust asset is what PDPC has been striving for the past five years.

In 2017, PDPC launched several initiatives to help companies, particularly Small and Medium Enterprises (SMEs), as well as data protection officers (DPOs), strengthen their personal data protection capabilities.

Some of the resources also aided in facilitating a mindset shift from compliance to accountability when it comes to the management of personal data.

These are key to gaining consumer confidence and trust in a business environment that straddles a borderless information superhighway.

PDPA Assessment Tool for Organisations (PATO)

For many companies, topmost on their list of challenges when it comes to personal data protection would be to identify the areas within each of the nine obligations of the Personal Data Protection Act (PDPA) where they are lacking, and know what could be done.

To help DPOs along this journey, PDPC rolled out a complimentary PDPA Assessment Tool for Organisations (PATO) on its website in September 2017.

December 2017December 2017

– 3 –– 2 –

The online self-assessment tool is able to generate a report based on the user’s inputs, provides an action plan template, and recommends relevant resources such as the PDPC’s advisory guidelines to help address the gaps.

For those new to the PDPA, the tool can also serve as a checklist of key areas that they would need to develop measures for with regards to personal data protection.

DP Starter Kit

For SMEs beginning their data protection journey, there is also the DP Starter Kit.

Launched by PDPC in October, it is a step-by-step guide which offers useful information and resources such as sample forms, clauses and communication materials that are easy to implement.

It also provides guidance on issues that SMEs face when complying with the PDPA. Download a copy of the DP Starter Kit here.

DP Advisory Sessions

Help is also at hand for organisations that need more guidance on how to develop personal data protection measures.

PDPC has established a panel of Data Protection (DP) Advisors to provide tailored support and

assistance to SMEs and Non-Profit Organisations (NPOs) in Singapore.

The advisory service allows organisations to have a better understanding of their obligations under the PDPA, identify data protection gaps, and points them to relevant resources.

DP Advisors will also be able to identify available grants that SMEs may tap on, types of training their employees can attend, and point them to external data protection service providers.

Since its inception in October, the DP Advisory Sessions has helped more than 40 SMEs and NPOs.

Mobile game publisher Go Game Pte Ltd is one such beneficiary.

“The programme (advisory session) is very helpful for SMEs who do not have the resources to hire specialists to assist them in complying with the PDPA. We are very thankful to the government for providing SMEs such as goGame with these resources,” Ms Nicole Oversier, Data Protection Officer and Head Legal Counsel, Go Game Pte. Ltd.

“We found that the DP Advisors have an in-depth knowledge of the PDPA’s requirements and demonstrate an understanding of the practical aspects of complying with the Act,” said Mr Hudson Teh, Senior Finance Manager, Ling Kwang Home for Senior Citizens.

“Advisors are able to highlight specific issues and challenges relevant to my organisation.”

Guide to Data Protection Impact Assessment (DPIA)

Another resource that PDPC released in November 2017 was the DPIA guide.

The DPIA is a tool that help DPOs identify where personal data may be at risk as they review existing or new systems or processes, and develop measures to tackle that risk.

It involves various stages such as determining the need for an impact analysis and planning; identifying personal data and how it flows; identifying and assessing data protection risks; creating measures and an action plan to tackle the risks; and then implementing the plan and monitoring outcomes.

Ms Mary Gowri Rajoo, HR & Finance Manager and DPO of iHRos Pte Ltd, said “The DPIA guide will come in handy when our organisation has to review existing or new operations or initiatives, to help identify, assess and minimise data protection risks”.

Guide to Developing a Data Protection Management Programme (DPMP)

One of the first steps towards accountability is to implement a DPMP.

The DPMP is a masterplan that helps companies plan, implement and maintain a robust personal data protection infrastructure.

It lays out a company’s data protection management policies, processes, and the roles and responsibilities of staff and stakeholders in the handling of personal data.

PDPC released the Guide to Developing a DPMP in November 2017.

The guide includes pointers on developing data protection policies and translating them into implementable processes, as well as highlights the importance of developing a governance structure and defining the roles and responsibilities of staff and stakeholders.

Mr Leong Sing Meng, Data Protection Officer, SAS Singapore, welcomed the fact that the DPMP guide and the assessment tool (PATO) are made readily available and free for use by companies.

“The tool (PATO), together with the DPMP Guide, will not only provide companies with a better view of how they fare in initiatives to protect customer data, but will also be extremely useful

in providing actionable steps for organisations and DPOs to ensure compliance,” said Mr Leong.

“The tool (PATO), together with the DPMP Guide, will not only provide companies with a better view of how they fare in initiatives to protect customer data, but will also be extremely useful in providing actionable steps for organisations and DPOs to ensure compliance,”

- Mr Leong Sing MengData Protection Officer

SAS Singapore

December 2017

– 4 –

“Access to such personal data protection knowledge is key to a greater understanding of what Singapore as a community deems acceptable and what is expected of organisations. A greater understanding also serves to help boost the overall standards of data protection in Singapore which ultimately leads to increased consumer trust. Such an environment of trust can only benefit businesses as it enables them to seize opportunities and reap the rewards of data innovation.”

Personal Data Protection (PDP) Digest

To better strengthen data protection measures, lessons can also be drawn from enforcement cases.

And to provide such lessons and guidance to DPOs, lawyers and in-house legal counsels who advise on data protection, PDPC published the PDP Digest.

The digest comprises of PDPC’s enforcement decisions, summaries of unpublished cases where no breach was found, and a collection of data protection-related articles contributed by data protection practitioners.

“DPOs and data protection lawyers can learn a lot from breach cases. From cases where there were breaches, DPOs and lawyers can learn to avoid the paths taken and their mistakes. Equally, we can learn from cases where the organisations were exonerated: DPOs and lawyers can better understand what standard of data protection is acceptable,” said PDPC Deputy Commissioner Yeong Zee Kin.

PDPC’s Legal department and the PDP Digest editorial team.

“The DPIA guide will come in handy when our organisation has to review existing or new operations or initiatives, to help identify, assess and minimise data protection risks”

- Ms Mary Gowri RajooHR & Finance Manager and

Data Protection OfficeriHRos Pte Ltd