In this article, we use a recent case to emphasize the significance of enforcing protection obligations and hiring an outsourced DPO to help you to be compliant with PDPA when you're collecting clients’ personal data.
This applies to education centres,
healthcare associations and other associations that collect personal data in
the provision of their services.
On 24 February 2021, the
Country Club involved notified the Personal Data
Protection Commission that one of their employee’s email accounts had been
compromised and 600 phishing emails had been sent to various individuals on 22
February 2021.
The Organisation
subsequently requested for this matter to be handled under the Commission’s
expedited breach decision procedure. It also admitted that it was in breach of
section 24 of the Personal Data Protection Act (the “PDPA”) as it failed
to document its password policy in writing.
The Protection Obligation
under section 24 of the PDPA extends to and includes the training of all
employees who have to handle personal data in the course of their work so that
an organisation’s employees can then successfully adopt and implement the
policies and best practices to ensure the protection of personal data in an
organisation.
The Deputy Commissioner penalised
the Organisation with a financial penalty of $4,000 within 30 days from the
notice accompanying date of this decision.
It is important for any organization that collect clients’ personal data to protect this data using cyber security solution like endpoint protection software.