Chapter 5: Risk Management and Data Protection

Questions and Answers

Which parameter measures the risk of unauthorized disclosure harming stakeholders' interests?

• Compliance
• Integrity
• Confidentiality (correct)
• Availability

What is the primary goal of risk management within an organization?

• To increase operational costs effectively
• To comply strictly with regulations
• To eliminate all potential risks
• To ensure that uncertainty does not hinder business goals (correct)

What type of risk is associated with the quality or corruption of information?

• Integrity (correct)
• Availability
• Confidentiality
• Legality

Which of the following actions is NOT part of the risk management process?

Ignoring potential risks (B)

In the context of risk management, what constitutes a risk?

A potential for loss or negative effect (B)

Which parameter assesses the risk that information may not be accessible to intended users when needed?

Availability (C)

What can happen to an organization that fails to manage its risks effectively?

It may miss opportunities due to excessive caution (B)

What can be a consequence of viewing PDPA compliance merely as a legal exercise?

Failure to comply with the Protection Obligation (C)

What characterizes leadership complacency regarding PDPA compliance?

An 'it won’t happen to us' mentality (A)

Which of the following issues can result from improper training in an organization?

Failures in complying with data protection policies (D)

What impact does lack of oversight of third parties have on PDPA compliance?

Increased vulnerabilities from data intermediaries (A)

Disjointed practices within an organization can lead to which of the following outcomes?

Failure to comply with various obligations under the PDPA (B)

What is the primary purpose of a data classification policy?

To categorize data according to its sensitivity and/or its confidentiality (B)

Which element is NOT typically associated with a data classification policy?

Executing emergency response procedures (C)

When developing a data classification policy, who should be responsible for classifying data?

Designated staff with specific accountability (D)

What is a key factor to consider for each data classification level?

The access rights to the relevant data (B)

How should protection measures correspond with data classification levels?

Based on the risk level and nature of the data (A)

Which of the following is NOT a proposed level of data classification?

Public information (C)

What role does data classification play in incident and security management procedures?

It helps to identify and manage risks effectively (B)

Which type of solutions should the information security requirements include?

Both digital and non-digital solutions (D)

What is one of the main benefits of a well-planned data classification policy?

Governs data access with the appropriate level of access control (@), It ensures that data is easy to find and retrieve (B)

What is an organization required to ensure when outsourcing data processing to a data intermediary?

That it makes reasonable security arrangements for the personal data it possesses. (C)

What should an organization consider if a potential data intermediary is based outside of Singapore?

The specific risks related to the vendor's location and compliance with the Transfer Limitation Obligation. (D)

How should access to personal data be controlled within an organization?

On a 'need to know' basis with proper authorization. (B)

What can lead to a failure to comply with the Protection Obligation?

Employee carelessness or negligence during processing. (C)

What must organizations verify regarding personal data disclosures?

Disclosures are authorized and not excessive. (A)

What should an organization's policy concerning personal data retention align with?

The legal requirements of the relevant jurisdiction. (B)

What type of risks are associated with involvement from third-party service vendors?

External risks concerning personal data handling. (D)

Which of the following is a common violation seen in enforcement decisions regarding the Protection Obligation?

Inadequate security arrangements for personal data. (B)

What is critical for organizations to ensure when disposing of personal data?

That disposal methods are compliant with the Protection Obligation. (A)

Which of the following best describes the consequences of a lack of defined data classification policies?

Increased risk of unauthorized access to personal data. (A)

What is a primary reason for the failures when engaging data intermediaries?

Lack of clarity in the obligations of the data intermediary (B)

Which scenario exemplifies a failure due to insufficient data security measures by a data intermediary?

The IT system of the data intermediary is hacked, leading to exposed personal data (A)

What continuous obligation does an organisation have when outsourcing data processing to a data intermediary?

To ensure reasonable security arrangements for the personal data (B)

Which of the following is NOT a factor to watch out for when engaging data intermediaries?

The size of the data intermediary’s workforce (C)

What is a potential risk involved in the electronic processing of personal data?

Exposure to unauthorized access through cyber hacking (A)

Which of the following indicates inadequate oversight by an organisation over a data intermediary?

Failing to monitor data access logs from the intermediary (D)

What consequence may arise from a poor contract with a data intermediary?

Violations of security requirements by the data intermediary (C)

Which of the following should be a standard practice for an organisation using data intermediaries?

Regularly assessing the data intermediary’s compliance with policies (D)

What does the Protection Obligation entail for an organisation when engaging a data intermediary?

Maintaining obligations equivalent to handling data directly (B)

Which of the following practices should be avoided by data intermediary staff?

Bringing personal devices to work without proper security measures (B)

What are the three industry-recognized parameters of impact when data is compromised?

Confidentiality, Integrity, Availability (A)

Why is data classification important? (Select all that apply)

Helps an organization to assess risk (A), Plays a part in incident and security management procedures (C), Is an important element in drafting or executing a personal data protection policy, an information security policy, and a data retention policy (B)

What is risk management? (Select all that apply)

The identification, assessment, and prioritization of risks (A), Actions to minimize, monitor, and control the probability of the risky event occurring and/or its impact if it does occur. (C)

What are the 4 categories of risk?

Compliance (A), Financial (B), Operational (C), Strategic (D)

What is the Transfer Limitation Obligation under the PDPA?

It requires ensuring that personal data is transferred to another country in accordance with prescribed requirements. (A)

What are the possible risks or outcomes for failing to comply with the PDPA? (Select all that apply)

Both A, B and C (C)

In the context of risk management, what is a threat (select all that apply)?

A potential event that could cause harm (B), Malware and spyware (@)

In the context of risk management, which of the following are examples of vulnerabilities? (Select all that apply)

Inadequate firewall (A), Failure to apply update patches to software (B), Weak internal policies allowing paper documents to leave the office (C)

A threat is something with the potential to do harm.

True (A)

A vulnerability is a weakness, gap, or shortcoming that can be exploited by a threat – in other words, it can lead to a potentially harmful situation.

True (A)

Which of the following statements about data classification are true? (Select all that apply)

Data classification helps an organization to assess risk. (A), Data classification plays a part in incident and security management procedures. (C), Data classification is an important element in drafting a data retention policy. (D)

Which of the following are examples of instances of non-compliance with the PDPA? (Select all that apply)

All of the above (@)

Which of the following are examples of instances of non-compliance with the PDPA? (Select all that apply)

All of the above. (@)

What should a company look out for when engaging a data intermediary? (Select all that apply)

The IT system/network of the data intermediary being hacked and the hacker gaining access to personal data under the control of the organization. (A), Unauthorized disclosure of personal data by the data intermediary. (B), Data intermediary staff not complying with the data intermediary’s information security policy or practices by bringing their own devices to work. (C), Insufficient information security controls in the data intermediary’s IT system. (D), Poor or no written contract between the organization and the data intermediary leading to violation by the data intermediary of the organization’s information security requirements. (@), Lack of oversight by the organization that engaged the data intermediary. (@)

What is the difference between a 'cyber security incident' and a 'personal data breach'?

A personal data breach is a type of cyber security incident if it exposes personal information. (B)

A risk assessment framework – also known as ‘risk rating/scoring’ – is a technique used to rate each individual risk based on a combination of which of the following factors?

Impact on the business and likelihood of occurrence (B)

What are the responsibilities of the DPO, after the risks have been ranked?

summarise the risks identified in a report for senior management of the organisation (C), To collate and prioritise all identified risks related to PDPA compliance (B)

In some organizations, the PDPA Project Team and senior management are the same group of people or have a significant degree of overlap. In larger organizations, how does the PDPA Project Team typically relate to senior management?

They report to senior management but have a small degree of overlap. (B)

What events should the DPO follow after the risk ranking report has been compiled? (Select all that apply)

Share the report with the PDPA Project Team and senior management (A), Engagement and update senior management (B), DPO to regularly monitor the personal data protection risks (C), Senior management may delegate but remain responsible (D)

Flashcards

Confidentiality (C)

The risk of unauthorized or inappropriate disclosure of sensitive information.

Integrity (I)

The risk of information becoming corrupted or inaccurate.

Availability (A)

The risk of information not being accessible when and where it's needed.

Risk Management

The process of identifying, assessing, and prioritizing risks, followed by actions to minimize, monitor, and control their impact.

Objective of Risk Management

The goal of risk management is to ensure that unforeseen events don't hinder an organization's progress towards its objectives.

Risk

A potential for negative consequences, loss, or harm in a particular situation.

Risk in PDPA Compliance

The potential for non-compliance with the Personal Data Protection Act (PDPA).

Data Classification

Categorizing data based on its sensitivity or confidentiality, aiding in risk assessment and informing policy development.

Data Classification Policy

Helps determine the level of protection needed for each data category.

Access Control

Helps establish the right to access and modify data, based on its classification.

Consistent Data Classification

Ensures consistency in how data is treated and labelled, making it easier to retrieve.

Risk Assessment

A factor in determining the level of protection required for each data category.

Risk Management in PDPA Compliance

The process of identifying, assessing, and prioritizing risks related to personal data protection.

Information Security Requirements

Measures taken to protect digital and non-digital data based on its risk level.

Digital and Non-Digital Solutions

Strategies like encryption and access control, used to safeguard sensitive data.

Outsourcing and Data Security

Even when an organization outsources data processing to a third party, it remains responsible for protecting personal data under its control.

Data Intermediary Location Risk

Organizations must carefully consider the risks associated with data intermediaries located outside Singapore, especially regarding compliance with data transfer regulations.

Need-to-Know Access

Staff access to personal data should be limited to those who need it for their role and only for specific authorized purposes. This is essential for data security and integrity.

Employee Negligence and Data Protection

The organization must identify potential weaknesses in processes where carelessness could lead to a breach of data protection laws.

Authorized and Non-Excessive Disclosure

Organizations must ensure that personal data disclosure is authorized and not excessive, to comply with data protection laws.

Data Retention Policy

Organizations must have a policy for data retention, complying with legal requirements and minimizing storage time for personal data.

Secure Data Disposal

Organizations must have secure data disposal processes to ensure compliance with data protection laws when deleting or discarding personal data.

Data Intermediaries and External Risks

Data intermediaries, being third-party vendors, pose external risks to an organization's data security.

Protection Obligation Violations

The majority of data protection enforcement actions involve organizations failing to adequately protect personal data.

Data Intermediaries and Data Security Challenges

Data intermediaries present unique challenges to organizations in maintaining data security. They need to carefully vet and manage these relationships.

Ignoring PDPA Compliance

Failure to comply with PDPA due to lack of focus on compliance, viewing it as a legal exercise rather than an operational requirement with security considerations.

Poor Employee Training on PDPA

Inadequate training or communication about data protection and security policies, leading to employees not understanding their responsibilities.

Disjointed Data Practices

Disjointed practices and processes within an organization, causing information silos and inconsistent data handling.

Leadership Complacency on PDPA

Leadership apathy towards PDPA compliance, resulting in a casual attitude towards data protection among staff.

Neglecting Third-Party Data Security

Lack of oversight and insufficient contracts with third parties handling personal data, increasing security risks.

Data Intermediary's Role

The ability of a data intermediary to process and manage personal data on behalf of another organization.

Data Intermediary's Obligations

The legal and ethical obligations an organization has to protect personal data handled by a data intermediary.

Governance Principles for Data Intermediaries

The organization's framework for managing the risks involved with data intermediaries, ensuring compliance and safety.

Data Intermediary Hack

A scenario where an organization's data is compromised due to a data intermediary's system being breached.

Unauthorized Disclosure by a Data Intermediary

When a data intermediary unintentionally or intentionally divulges personal information in violation of data protection rules.

Data Intermediary Staff Device Use

An employee of a data intermediary violating security policies by using personal devices for work.

Insufficient Data Intermediary Security

Inadequate security measures in the data intermediary's IT infrastructure, leaving data vulnerable.

Incomplete Data Intermediary Contract

A lack of formal agreement outlining the data protection responsibilities of both the organization and the data intermediary.

Lack of Data Intermediary Oversight

The organization's failure to sufficiently monitor and supervise the data intermediary's actions, leading to potential breaches.

Organization's Responsibility for Data Intermediary Processing

The responsibility of an organization to protect personal data processed by a data intermediary, as if they were directly handling the data.

Study Notes

Key Takeaways from Identifying and Assessing Risks

• Senior management should understand and regularly review risks.
• Identify data protection and information security risks within each department's business processes.
• Assess risks related to data intermediaries and regulatory requirements.
• Establish a baseline of vulnerabilities, gaps, and exposures to data protection risks.
• Escalate key issues to senior management for designing a risk-based DPMP implementation strategy.

Introduction to Risk and Risk Management

• Senior management must understand risks, and regularly review them to consider changes in business models, regulations, technology or other factors.
• Four general categories of risk: financial (processes of the company), strategic (achievement of company objectives), operational (organisation processes), and compliance (legal and ethical).
• Data protection has implications for all four categories.
• Risks for personal data: Confidentiality, Integrity and Availability (CIA). Confidentiality risks are about unauthorised or inappropriate disclosure. Integrity, concerns the risk to the quality and corruption of information. Availability, is about the risk if the data is not available for the intended users.

Risks Relating to the DP and DNC Provisions

• Risks related to non-compliance with the PDPA (Personal Data Protection Act), including meeting eleven obligations and DNC provisions.
• Instances of non-compliance include consent issues, notification issues, purpose limitations, accuracy concerns, retention limitations, protection issues, access and correction problems, transfer limitations, accountability lapses, data portability problems and data breach notifications.
• Example of DNC provisions failure: not checking the relevant DNC registry before sending a marketing message.

Risks Relating to Business Processes

• Risks concerning non-compliance with the PDPA, business processes, third-party vendors and electronic data processing.
• Potential issues relate to whether data collection is authorized, the appropriate level of data collection, sensitive data collection and security, and processes for handling personal data.
• Organisation needs to be aware and to comply with rules and regulations of data handling/ collection/ use/ disposal.
• Key questions to identify gaps: Whether the organisation is collecting more personal data than necessary, whether the data is being processed in a reasonable manner, whether there are any secondary purposes for which personal data is used, and whether personal data is of a sensitive nature.

Risks Relating to Data Intermediaries

• Risks involving third-party vendors or service providers.
• Organizations need to make reasonable security arrangements.
• Failures related to IT systems hacking and data loss or theft of devices containing personal data.
• Contractual issues, insufficient information security controls in the intermediaries IT system, and lack of oversight need to be considered.

Risks Relating to Electronic Processing of Personal Data

• Risks related to electronic data processing include those concerning cyber-security incidents, and personal data breaches.
• Examples: malware attacks, unauthorized access, loss or theft of devices with data, software/program code failures.

The Seven Common Mistakes Made by Organisations

• Insufficient data protection measures.
• Inadequate information or physical security measures.
• Disjointed practices in the organisation, especially between different departments.
• Poor employee training on data protection rules and procedures.
• Lack of oversight of third parties (e.g. data intermediaries).
• Lack of leadership action/complacency on data protection.
• Physical security or data security lapses.

Assessing Measuring Risks and Ranking Them

• Organisation needs to assess the likelihood of a risk occurring and the impact if the risk occurs.
• Use risk assessment frameworks to rate risks.
• Assign numbers (i.e., a likelihood scale and an impact scale) to each risk, which are then multiplied to arrive at a risk ranking score.

Next Steps after Ranking Risks

• The DPO should provide sufficient assistance to the organisation's departments to fulfil requirements for building a data inventory, risk assessment and risk ranking.
• DPO needs to collate and prioritise the risks, and summarise them for senior management's review and approval.
• Senior management need to be involved in the data protection compliance process.
• Engage senior management regularly, and update them about the DPMP's evolution
• Ensure the right level of priority and resources is given to data protection.
• Regular monitoring of personal data protection risks.