Singapore | PDPC issues Guide to Accountability in Personal Data Protection
On 15 July 2019, the Personal Data Protection Commission (“PDPC”) issued its Guide to Accountability (“Guide”) that explains the principle of accountability in the context of personal data protection and how the PDPC has implemented this in Singapore. The Guide also sets out recommendations on how organisations can implement accountability-based measures. The Guide is part of a series of efforts by the PDPC to shift the emphasis in personal data protection from compliance to accountability. Please see our earlier legal update on other initiatives from the PDPC.
Accountability under the Personal Data Protection Act 2012 (“PDPA”) requires organisations to undertake measures to ensure and demonstrate compliance with the PDPA. For instance, the organisation is required to designate a data protection officer, who will be responsible for ensuring the organisation’s compliance with the PDPA. Ideally, the data protection officer should be part of senior management of the organisation. In addition, the organisation is required to develop and implement internal and external policies for data protection.
Apart from the mandatory accountability requirements under the PDPA, organisations should also consider implementing further accountability measures set out in the Guide. These measures are categorised under Policy, People and Process.
- Policy. Embed personal data protection into corporate governance through the involvement of senior management, and develop and communicate personal data protection policies clearly to both internal and external stakeholders.
- People. Inculcate responsible personal data protection values in every employee, and ensure each employee is aware of and adheres to its data protection policies and processes; staff should receive in-depth training customised to their areas of responsibility.
- Processes. Institute proper processes to operationalise data protection policies throughout the data lifecycle and across business processes, systems, products or services. These processes should be reviewed regularly to meet the organisation’s business needs and should be up-to-date with regulatory and technological developments.
The Guide is available here.
If you have any questions on the above, please contact Heng Jun Meng or the ZICO Insights Law LLC partner you usually deal with.