Day 3

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 Should Management be Concerned?
will
• Real Cost
X
“It won’t happen to us”
• Fines

• Cost of clean up
• Regulatory investigation
FRI, FEB 07, 2020 • Reputation, brand damage, loss of customer trust - real
Lyn Boxall
pain points that can decimate shareholder value
• Senior staff are distracted from their business priorities
that generate revenue
• Costs of consultants to assist in the investigation can
easily run into six figures
Sources: www.businesstimes.com.sg

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 Governance & Risk Management

What Needs to be Done? How to do it?

1 Set up Governance Structure a) Define terms of reference
b) Define roles and responsibilities
c) Refer to template from PDPC

2 Decide on the DP matters that
should be part of enterprise risk
management
a) Decide what DP risks need management oversight
and attention
b) Decide how regular these risk items need to be
brought up during the management meeting
(frequency)
c) Refer to template from PDPC

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 Personal Data Protection Policy (Internal)
Sample Table of Content
• Objective
• Scope Advisory Guidelines
• Corporate Structure and Enterprise Risk from PDPC
Management
• Data Inventory Map
• Managing Access & Correction request Data Inventory Map
• Collection, Use and Disclosure
• Care of Personal Data
• Managing Data Breaches PATO
• Training & Communications
• Staff Accountability
• Organisational Accountability Data Protection
• Sending Emails containing Personal Data Notice
• Useful Links
Reference: DPaaS@SME by IMDA
© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 DP Practices

What are the Areas? How to do it?

1 Projects a) Adopt a Data Protection by Design
- Put data protection considerations in upfront approach
instead of as an afterthought

2 Staff a) Employment contract

- State data protection practices clearly for staff to b) Employment handbook
follow c) HR intranet

3 3rd Parties / Vendors a) Data Protection clauses in contracts

- Ensure 3rd parties / vendors manage and dispose b) Conduct due diligence, audits, spot
PD properly checks

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 In Summary : DPMP

Source: pdpc website

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd
 In Summary : DPIA

Source: Guide to
Data Protection
Impact Assessment

© 2023 by ACT:DPI Pte Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or otherwise, without prior written permission of ACT:DPI Pte Ltd