Maintaining Data Protection Management Programme (DPMP) PDF

10. MAINTAINING THE DATA PROTECTION MANAGEMENT PROGRAMME (DPMP) The ‘key takeaways’ from this chapter are: (a) understanding the components of maintaining a Data Protection Management Programme (DPMP) established by an organisation (b) monitoring the external and internal environments so that an organisation is apprised of any developments that are relevant to its DPMP (c) knowing how to conduct regular reviews of an organisation’s personal data protection policies and practices / SOPs (d) keeping staff and external stakeholders apprised of changes to an organisation’s personal data protection policies and practices / SOPs (e) validating an organisation’s DPMP 177 10.1 Maintaining the DPMP and Keeping the DPMP Relevant _________________________________________________________________________ 10.1.1 Organisations are encouraged to routinely review their data protection policies and practices to enable them to identify data protection gaps and the appropriate remedies. In Singapore’s evolving digital economy, this will provide the assurance that the organisation’s data protection practices are in line with regulatory and technological developments and that data protection risks are being managed effectively The PDPC encourages organisations to routinely review their personal data protection policies and practices / SOPs to enable them to identify personal data protection gaps and the appropriate remedies for them. This will provide stakeholders with assurance that: (a) the organisation’s personal data protection policies and practices / SOPs are in line with regulatory and technological developments; and (b) that the organisation is managing personal data protection risks effectively. 10.1.2 In order to maintain its DPMP and keep it up-to-date, the DPO of an organisation should review and revise the DPMP regularly: (a) monitor the organisation’s external environment (i.e. changes in legislation) and its internal environment (i.e. such as new business projects that deal with personal data) on an ongoing basis; (b) regularly audit the organisation’s personal data protection policies and practices; (c) setting up a system of notification and feedback for internal staff so that they may raise the alert about gaps or risks in personal data protection policies or processes; 10.1.3 In monitoring the organisation’s external environment, the DPO should keep abreast with: (a) amendments to the PDPA and regulations made under or in accordance with the PDPA; (b) new advisories and/or resources issued by the PDPC; (c) personal data protection breaches that occur in other organisations and become known to the public; (d) changes in sector-specific regulations that apply to the organisation; and (e) personal data protection best practices adopted by other organisation and become known to the public; 178 10.1.4 An organisation’s DPO could keep abreast of developments in the external environment by: (a) signing up with the PDPC’s ‘DPO Connect’ to get updates on personal data protection developments and PDPC events (see www.pdpc.gov.sg/dpo- connect); (b) subscribing to reporting services and circulars by law firms to get updates on legislative and regulatory development related to personal data protection; (c) attending personal data protection-related conferences and training; and (d) conducting research on developments in personal data protection. 10.1.5 In monitoring the organisation’s internal environment, the DPO should keep abreast with: (a) the organisation’s systems or processes that collect, use, disclose and store personal data that are being newly designed or are undergoing major changes; (b) new business engagements entered into by the organisation or that the organisation proposes to enter into; (c) personal data protection breaches suffered by the organisation; and (d) feedback from stakeholders – for example, directions given by senior management of the organisation and feedback received from its customers; 10.1.6 An organisation’s DPO could keep abreast of developments in the internal environment by: (a) conducting staff surveys to understand personal data protection awareness and/or to get feedback on personal data protection practices in the organisation; (b) conducting Data Protection Impact Assessments (DPIAs) on systems and processes that collect, use, disclose and store personal data that are being newly-designed or are undergoing major changes; and (c) attending to feedback from stakeholders, including customers. 10.1.7 Changes in the external environment and/or in the internal environment may require an organisation to make revisions to its personal data protection policies and practices / SOPs. The organisation will have to decide whether the revisions should be applied immediately (on a ad-hoc basis) or during a periodic review of the DPMP. 10.1.8 It is important for an organisation’s staff, as well as third party organisations engaged to process personal data on its behalf, to know how the organisation expects the personal data to be handled and protected. In this regard, organisations may consider the following: 179 Key activity Component Examples State the personal data Employment Contract Update employment protection clauses contract with clauses on clearly in the Employee Handbook responsibility to protect employment contract personal data Details may be contained in the employee handbook, and updated periodically Set clear requirements Data protection clauses in Use standard contractual on how vendors should third party agreements. clauses in contracts and manage and dispose the processing agreements data For more information, refer with third party service to the Guide to Managing vendors to ensure Data Intermediaries under protection for personal the PDPA, Guide on Data data Protection Clauses Use contractual clauses Relating to the Processing and retention schedules of Personal Data, and the in contracts and Guide to Securing Personal processing agreements Data in Electronic Medium with third party service and Guide to Disposal of vendors to ensure proper Personal Data on Physical disposal of personal data Medium. Establish measures to verify the identity of third party organisations that have access to your organisation’s collected data Data protection clauses in Establish cross-border cross-border transfer personal data transfer agreements contracts (e.g., transfer of personal data within organisations outside of Singapore, or the parent company) to ensure protection for personal data Conduct regular review Due diligence on third party Conduct due diligence of of contracts service vendors the personal data protection and security policies, practices and processes of potential vendors/third party sources (e.g., conduct random spot-checks, request for an independent audit report) 180 10.1.9 An organisation should also conduct a Data Protection Impact Assessment (DPIA) to help it identify, assess and address personal data protection risks associated with new changes. Please refer to the PDPC’s Guide to Data Protection Impact Assessments for further information (available at https://www.pdpc.gov.sg/og) 10.1.10 An organisation needs to keep its stakeholders apprised of changes to its data protection policies and practices / SOPs as part of the organisation’s training and communication plan. 10.1.11 A key part of sustaining an organisation’s DPMP is for it to educate and communicate to all staff the organisation’s personal data protection policies and practices / SOPs. The organisation also needs to evaluate and audit its personal data protection policies and practices / SOPs in order to assess their effectiveness. It should ensure that its personal data protection policies and practices / SOPs are accessible to stakeholders by, for example: (a) storing a soft copy of them on the organisation’s repository / Intranet for all staff’s reference (b) providing a hard copy to each department 181 10.2 Validating the DPMP _________________________________________________________________________ 10.2.1 Good practices that can give an organisation confidence and assurance that its personal data protection measures are aligned to the PDPA and comparable to industry standards are that organisations may choose to validate their DPMP by: (a) having it reviewed by a external third party – this helps ensure that the organisation’s personal data protection policies and practices / SOPs ae robust and comparable to industry standards; (b) seeking to certify their personal data protection policies and practices / SOPs – organisations can look for suitable certification initiatives and apply for them; and/or (c) by monitoring complaints it receives. Complaints can help highlight possible gaps in policies and processes or flaws in the way policies and processes are communicated. The DPO or PDPA Project Team can then use such information to consider improvements to the DPMP. 10.2.2 A personal data protection certification could: (a) provide the organisation with a competitive advantage; and (b) boost consumer confidence towards the organisation’s collection, use, disclosure and storage of personal data about them. 182 10.3 Developing the DPMP audit plan _________________________________________________________________________ 10.3.1 There are at least two purposes for which an organisation may decide to audit its DPMP: (a) for compliance with the PDPA: this would involve an audit of: (i) the organisation’s personal data protection policies and practices / SOPs; (ii) the organisation’s systems used in collecting, using, disclosing and storing personal data; (iii) the organisation’s records of personal data collected, the ways in which it is used, the ways in which it is disclosed and the ways in which it is stored or the organisation disposes of it; and (iv) the organisation’s data intermediaries and other third parties; (b) for other purposes such as: (i) to gauge staff awareness of the organisation’s personal data protection policies and practices / SOPs; (ii) the adequacy of the organisation’s training and education activities; and (iii) assessing the effectiveness of the organisation’s process for on- boarding new staff; 10.3.2 The DPO of an organisation should also ensure there is regular reporting of personal data protection measures to management of the organisation to get their support, direction and feedback. An organisation may wish to develop reporting mechanisms and frequencies (for example, quarterly or annually) for various feedback mechanism from the DPO to senior management. 10.3.3 Possible topics for quarterly reporting and discussion might include: (a) changes made to personal data protection policies and practices / SOPs made in the last quarter (b) results and action plans after completing the PDPA Assessment Tool for Organisations (PATO) or Data Protection Impact Assessments (DPIAs) (c) personal data protection audit plans (d) the status of existing risks, risk ratings and action plans (e) new risks, risk ratings and action plans added in the last quarter 183 (f) current personal data protection issues to note 10.3.4 Possible topics for annual reporting and discussion might include: (a) refreshed personal data protection risk profile for the year; (b) summary of risk remediation plans; 10.3.5 Organisations can also conduct an internal audit to monitor and evaluate the overall implementation of the organisation’s personal data protection policies and practices / SOPs. This could be done by: (a) conducting an internal audit on a periodic basis; (b) conducting an ad-hoc walk through and inspection; (c) engaging an external party (either on a period basis or on an ad-hoc basis) to evaluate implementation; and (d) obtaining and maintaining certifications for the organisation’s personal data protection measures; 10.3.6 There are three sets of determinants on when to conduct an audit, namely: (a) time-based: an audit should be conducted as regularly as possible (for example, yearly, half-yearly) so that irregularities or system weaknesses can be detected early and the organisation can put proactive and preventative measures in place; (b) event-based: events serve as triggers to alert the organisation of irregularities or system weaknesses – these should signal the right time for the organisation to carry out the audits and examples of events that necessitate an audit include: (i) anomalies or extraordinary trends (i.e. introduction of new technology, discovery of vulnerability in existing technology, international personal data legislative/regulatory developments); (ii) complaints – these usually signify there is something not right or not up to stakeholders’ expectations; (iii) personal data protection incidents and/or breaches; and (iv) deterioration of business function; (c) new business / data intermediary: these factors introduce new unknowns to an organisation and signal that it is a good time to conduct an audit so that irregularities and/or system weaknesses can be detected early and/or, as the case may be, to audit the processes and operations of the data intermediary (where practicable). 184 10.3.7 Audits can be conducted by either internal auditors or external auditors of the organisation. 10.3.8 Depending on the audit scope and the organisational entities involved, and internal audit could be performed by: (a) the PDPA Project Team, or selected staff as directed by the PDPA Project Team; (b) the organisation’s DOP or delegates of the DPO in each department of the organisation; (c) the organisation’s compliance department; and (d) the organisation’s internal audit department. An external audit could be performed by conducted by professional auditors or audit firms that are outside the organisation. 10.3.9 The considerations for an organisation in deciding on whether to conduct an internal audit or an external audit include: (a) objective of the exercise; and (b) level of assurance required. If the objective is to validate/certify the process to satisfy an external stakeholder, then a high level of assurance may be required and an external audit might be conducted. If the objective is to test the effectiveness of existing DP policies and processes to improve those policies and processes, then a lower level of assurance may be required and thus an internal audit would be sufficient. 10.3.10 The higher assurance from an external audit would be due to the neutrality / independence of the external auditor as the external auditor has no vested interest in the organisation, whereas staff of the organisation conducting an internal audit are part of the organisation and may be difficult for them to be neutral or independent. 10.3.11 It is important to take note of possible conflict of interest when conducting internal audits – a conflict of interest may arise in an internal audit as the people who set the rules are the same people who audit on compliance with the rules. 10.3.12 Also, consider the workload of Internal audit staff – due to other priorities or workload constraints, staff assigned to do the internal audit may not have enough capacity to conduct the audit. 10.3.13 Another consideration is cost and timeframe – external auditors usually cost more and take a longer time to complete the audit as they need to invest time upfront to learn about the organisation and how it works, while internal auditors usually cost relatively less as they are already drawing fixed salaries from the organisation and 185 are familiar with the organisation so they can take a shorter time to complete the audit but may be constrained by workload (as mentioned above). 10.3.14 A data protection audit report is delivered to the organisation at the completion of an internal audit or external audit. The report should, as a minimum, contain: (a) compliance status: the extent to which the organisation complies with the PDPA and the organisation’s personal data protection policies and practices / SOPs; (b) key findings and observations: what the auditors uncover and observe in the organisations operations, systems and processes, including strengths and positive findings and gaps and weaknesses; (c) remediation / recommendations: what actions the auditors recommend to address or remedy the shortcomings and to reinforce the strong points; and (d) best practices: what the auditors recommend as the best practices for the organisation to adopt; 10.3.15 The organisation needs to follow up with the audit recommendations to ensure that gaps and weaknesses are addressed and closed. A follow up process should be established to make sure that recommendations have either been implemented or senior management has accepted the risk of not taking action. Follow up actions should be tracked and documented. At the end of the audit project, a follow up report should be completed, presented to senior management and signed off. 186 Resources For Chapter 10 Developing The Data Protection Management Programme (DPMP) – Maintenance For further information on updates on personal data protection developments and PDPC events sign up with the PDPC’s ‘DPO Connect’ www.pdpc.gov.sg/dpo-connect For further information on identifying, assessing and addressing personal data protection risks associated with new changes see PDPC’s Guide to Data Protection Impact Assessments https://www.pdpc.gov.sg/og 187 1. Annexure 1 Sample Incident Record Log 188

Maintaining Data Protection Management Programme (DPMP) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue