Things You Should Learn About Data Protection Officers!

 

Introduction

The Personal Data Protection Act (PDPR) mandates the appointment of a data protection officer (DPO). The question arises, What is PDPA? They are in charge of reviewing and executing an industry's information security framework to manage complaints with PDPR obligations. Their primary responsibility is to make sure that the personal data of the organization's employees, consumers, contractors, or other persons are processed under general data protection laws. They are autonomous, information security experts, well-resourced, and work under the top management levels. This article will provide all the information someone needs to know about DPO as a service.

 

What businesses require DPO?

 

The PDPA passage illustrates that the data handling's size and scope dictate the necessity for a DPO. It doesn't matter how big or small the organisation's size is. They consider four main elements when determining if a DPO is required. They are:

 

●       Subject of data

●       Items of data

●       The length of document retention

●       The geographical range of processing

 

 

Their requirements and responsibilities

 

These are some of the primary responsibilities of a Data protection officer assigned by the

Personal data protection act:

 

●       When designing and implementing policies and practices for managing personal data, ensure compliance with the PDPA.

●       Developing a data protection mindset among staff and informing stakeholders about unique data protection regulations;

●       Answering inquiries and concerns about the protection of personal data;

●       Notifying management of any potential problems involving personal data; and

●       If required, consult with the PDPC on data protection issues.

 

Training and guide

 

In this technological world where everything is almost coded and is done online, data protection is highly required. To maintain cyber security, people trained to become data protection officers go through rigorous training. The company leaders know almost everyone, and the people who contact customers' details are advised to take these pieces of training. PDPA Compliance Training and guide is essential as human beings are prone to making mistakes, which might become a major issue in data protection. 

 

Outsourcing DPO

 

Technical components of the DPO position might be outsourced to a service supplier by organizations with workforce limitations. However, management is responsible for the overall function of DPO. There are many Outsourced DPO Singapore. To begin with fundamental data protection measures, organizations can contact any organizations that have enrolled with the Authority.

 

Conclusion

 

The article provides all the information about the data protection officer. They are people who are trained to protect personal data under the act of personal data protection 2012 in Singapore. The organizations that require data protection officers and the officer's responsibilities are all listed above. Here, one can get a clear idea about the PDPA and data protection officer.

Breach Of The Protection Obligation By Country Club

In this article, we use a recent case to emphasize the significance of enforcing protection obligations and hiring an outsourced DPO to help you to be compliant with PDPA when you're collecting clients’ personal data.

This applies to education centres, healthcare associations and other associations that collect personal data in the provision of their services.

On 24 February 2021, the Country Club involved notified the Personal Data Protection Commission that one of their employee’s email accounts had been compromised and 600 phishing emails had been sent to various individuals on 22 February 2021.

The Organisation subsequently requested for this matter to be handled under the Commission’s expedited breach decision procedure. It also admitted that it was in breach of section 24 of the Personal Data Protection Act (the “PDPA”) as it failed to document its password policy in writing.

The Protection Obligation under section 24 of the PDPA extends to and includes the training of all employees who have to handle personal data in the course of their work so that an organisation’s employees can then successfully adopt and implement the policies and best practices to ensure the protection of personal data in an organisation.

The Deputy Commissioner penalised the Organisation with a financial penalty of $4,000 within 30 days from the notice accompanying date of this decision.

It is important for any organization that collect clients’ personal data to protect this data using cyber security solution like endpoint protection software.

Breach Of The Protection Obligation By Schools

In this article, we use a recent case to highlight the importance of implementing protection obligations and hiring an outsourced DPO to help you to ensure compliance with PDPA when you are collecting clients’ personal data. This applies to tuition centers, healthcare organizations and other organizations that collect personal data in the provision of their services.

On July 2, 2021, School A alerted the Personal Data Protection Commission that a parent of a student is able to view and access a student report produced by the Organization via internet search engines.

Following that, the Organization requested that this matter be resolved under the Commission's expedited breach decision procedure. It also admitted to violating the Personal Data Protection Act (the "PDPA" section 24). The Deputy Commissioner for Personal Data Protection orders the Organization to pay a $10,000 financial penalty within 30 days of receiving the notice accompanying this decision

To protect clients’ personal data and prevent unwanted access, an organisation storing personal data in website directory/folders must implement protection obligations procedure to safeguard data. 

Furthermore, no clear business needs were stated that the Organization was depending on the sister firm to implement security solutions to protect personal data. When an organisation receives IT services from another member of the group, it should ensure that the latter is obligated by formal agreements or group regulations to secure personal data while providing the services.

Implementing PDPA can be a daunting experience, an organisation should consider hiring an outsourced DPO Singapore to ensure that the organisation implements both policies and procedures that comply with PDPA. This is because any data breach or non-compliance may lead to an organization being fined. 

Is Protection Of The Data The Most Important Obligation?

 

In an article dated 2nd November by "The Straits Times", it was reported that of all the breaches till October 2021 more than 67% of the cases are related to a breach in protection obligation. This means companies did not put in place security arrangement to protect data in their possession. This lack of security protection led to unauthorized access of these data where hackers may collect, use and disclose them.

In today's highly digitalized business environment, many companies collect personal data in order to serve their customers better. This purpose to serve customers better may turn into a problem if the data are not properly protected and secured.

It is therefore important that companies build trust with their customers by ensuring they implement proper data protection strategies.

This may be as simple as as building password and limiting access to the data. However, as your data size grow due to expansion this may no longer be sufficient and will call for a detail analysis of the data life cycle so that you can implement the right data protection strategies to secure the data.

You can go the PDPC website to access the wealth of resources available there or speak to us to see how we may assist you.

Remember that data can give you the business edge, protect them wisely.

What Are The Learning Points From A Personal Data Protection Breach In An Organization?

        It has been reported on PDPC website that non-profit Company A has been fined a total sum of 14,000 due to hacked databases that were made available for download on hacking forums and Telegram channels.

This fine has been a result of data protection infringements under the Personal Data Protection Act (PDPA) as Company A has failed to implement safety measures to protect personal data of 5,131 members and non-members under the Protection Obligation.

 

The types of data that were affected included information on names, encrypted passwords, e-mail addresses, telephone numbers and birth dates of the users.

 

On January 14^th, PDPC also noted the Company had no written policies and practices and the company did not appoint a data protection officer (DPO).

 

In light with this incident, we would like to share the importance of PDPA and how it can affect your business.

 

Why is PDPA important?

 

All data collected that is identifiable to an individual in which any business handles need to be well protected.

 

With the advancements of technology, this trend has been growing exponentially and are becoming more relevant to business owners.

 

The failure to comply with the Act will result in serious consequences to businesses as seen above.

Why is PDPA important for my business?

 

In today’s digital world, companies are collecting more and more personal data evidently. We collect these data to help us grow our business through digital marketing.

 

With this, it is therefore, important for companies to have in place policies and practices to handle these data asset.

 

More importantly, we should have in place strategies to protect these data.

  

WHAT IS THE KEY LEARNING FROM THIS CASE STUDY?

 

On 19 November 2020 and 20 November 2020, Company A SG and company B notified the Personal Data Protection Commission of a data breach incident whereby an unauthorised third party had gained access to business servers of the Company A Group and managed to ex-filtrate information, including personal data of the employees of the Organisations.

As the main Human Resources functions of Company ASG are conducted by Company A US.Company A transfers the personal data of its employees to Company A US which are then stored in company A Us’s servers.

On 12 November 2020, the Company A Group information technology team noticed anomalies in its systems. Subsequent investigations revealed that, from September to November 2020, a threat actor had accessed the Company A Group server in the USA.

As a preliminary point, Company A US is responsible for maintaining the security and integrity of the Company A Group system including its servers and implementing the appropriate safeguards. However, the data protection obligations in the Personal Data Protection Act 2012 (“PDPA”) do not apply to Company A USas it does not process personal data in Singapore.

Whether Company A SG complied with the Transfer Limitation Obligation

-          It is determined that Company A SG had not complied with the Transfer Limitation Obligation

-          At the material time, Company A US and certain other Company A group entities had put in place a binding intra-group contract called the Global Data Transfer Agreement dated 1 September 2020 (“GDTA”), which governs the terms on which the various Company A group entities transfer personal data to each other.

-          The GDTA contained provisions that required Company A SG to provide any personal data transferred from Singapore a comparable standard of protection to that under the PDPA at the time of the Incident.

In light of Company A SG breach of the Transfer Limitation Obligation, the Commission is empowered under section 48I of the PDPA to issue Company A SG such directions as it deems fit to ensure compliance with the PDPA. This may include directing Company A SG to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.

Company A SG’s breach of the Transfer Limitation obligation was technical and a failure of legal formalities that were not substantive in nature.