Accountability – Personal Data Protection Commission (PDPC) Expectations

In 2018, PDPC gave an address at an NUS Law Bukit Timah seminar in which the topic was  “Pivot from Compliance to Accountability.”   In essence, PDPC emphasised the significance of trust, saying that the Commission (PDPC) believes firmly that new uses of data and advanced technologies would be pointless without trust.

While a balanced, forward-looking, and nimble approach to tech regulations can help facilitate innovation and build trust, organisational compliance to data protection laws will be needed.  The changes also brought about the creation of courses like the Advanced Certificate in Data Protection Operational Excellence.

The 12-day training is considered ideal for DPOs, Compliance Managers, and those with data protection responsibilities.

Participants of the Advanced Certificate in Data Protection Operational Excellence will complete 5 modules such as Data Protection Trends and the Roles of the DPO and Practical Approach to Data Protection for DPOs, among others.

Organisational Tools of Accountability

There are various aspects of accountability and all of them relate to pre-emptively addressing and identifying data protection risks.

Data Protection Management Programme (DPMP)

It is apparent that organisations cannot manage the data protection risks unless they are first able to identify those risks. A Data Protection Management Programme (DPMP) is considered a necessary step in identifying and managing data protection risks.

At its heart, the process is similar to the plans employees make about how to achieve their KPIs or key performance indicators and earn an annual salary increase or bonus as a result.

The employee also needs to figure out the KPI components and how to minimise or reduce their impact. They also need to have a plan that will at least involve accepting some of the risks. In any event, the employee will have to take ownership when it comes to achieving their KPIs rather than leaving things up to chance.

Data Protection Impact (Risk) Assessment

A Data Protection Impact Assessment (DPIA) forms part of a DPMP. Organisations may conduct a DPIA as part of an initial DPMP. They should also carry out a DPIA when creating a new system or process that will involve personal data and when it makes changes to an existing process or system that involves personal data.

All relevant stakeholders need to also be involved in a DPIA, including relevant external parties and internal organisational functions. It presents an opportunity for a deep dive into the data protection issues that may arise in a process or system and to remedy them as part of the design.

In that way, it results in “data protection by design,” where data protection is built into the process or system.

Consent Registers – Openness

The Personal Data Protection Act (and its counterparts in other countries) puts a huge emphasis on openness (or what is commonly referred to as transparency). It also revolves around the idea that people are entitled to know the purposes for which organisations will use personal data and to whom they might be disclosed.

Organisations in Singapore are required to notify individuals of the reason and purpose why personal data is collected. Consent can also either be expressed, like a specific written consent, or it may be inferred or deemed by the conduct of the individual.

Organisations should also maintain registers of the consents they have obtained and from whom they have obtained them as part of accountability. Logically, the registers should be underpinned by evidence that the organisation notified such individuals of the purpose for which the organisation may disclose or use personal data about them.