Chapter 3: Data Protection Management Programme (DPMP) PDF

3. OVERVIEW - DATA PROTECTION MANAGEMENT PROGRAMME (DPMP) The key ‘takeaways’ from this chapter are: (a) A DPMP is a four-step programme to help organisations establish a robust data protection infrastructure involving: (a) establishing a governance structure to define values and identify risks with organisational leadership; (b) developing a data protection policy and designating data protection roles and responsibilities; (c) designing processes to operationalise policy; and (d) detailing steps to keep data protection policies and processes up-to-date. (b) Establishing a DPMP helps an organisation to demonstrate accountability in data protection. This provides confidence to stakeholders and fosters high- trust relationships with customers and business partners 38 3.1 Benefits: Why an organisation should have a DPMP _________________________________________________________________________ 3.1.1 To demonstrate accountability, each organisation needs to assess and implement accountability frameworks, measures and tools that are suited to their business needs and appropriate in the circumstances. A Data Protection Management Programme is one such framework. The Data Protection Management Programme (“DPMP”) is a framework that provides the foundation for organisations building a robust personal data protection infrastructure and demonstrating accountability in personal data protection. A DPMP sets out the organisation’s management policies on personal data, the systematic application of accountable practices and processes, and the roles and responsibilities of the people in the organisation. 3.1.2 The main benefits of a DPMP are: (a) To help organisations develop, manage and maintain a robust data protection infrastructure; (b) To help an organisation demonstrate accountability in data protection; (c) To help foster a culture of data protection within the organisation; (d) To provide assurance (if the DPMP is developed and implemented well and adequately) that the organisation has adequate data protection policies and practices in place to manage their data protection risks and to comply with the PDPA; (e) To foster confidence and trust among customers, clients, business partners and other stakeholders; and (f) To enhance the organisation’s public image and reputation which could provide businesses with a competitive edge. 3.1.3 The PDPC has issued a Guide to Developing a Data Protection Management Programme (DPMP Guide) (available at https://www.pdpc.gov.sg/og) Organisations may benchmark their existing personal data protection policies and practices against this Guide. Ultimately, organisations should tailor their personal data protection policies and practices to their organisational needs. The DPMP is only as effective as the related tools implemented by an organisation 39 3.2 Components of DPMP _________________________________________________________________________ 3.2.1 A DPMP is a four-step programme to help organisations establish a robust data protection infrastructure through: (a) Governance and Risks: establishing a governance structure to define values and identify risks with organisational leadership; (b) Policy and Practices: developing a data protection policy and designating data protection roles and responsibilities; (c) Processes: designing processes to operationalise policy; and (d) Review: detailing steps to keep data protection policies and processes up-to- date. 40 3.2.2 Organisations may consider the following table from the DPMP Guide when developing their DPMP: What How 1. Document personal data Use a data inventory map or data flow flows in your organisation to diagram understand how personal Create a consent registry data is being collected, stored, used, disclosed, archived/disposed. 2. Adopt accountability tools to Identify gaps using PDPC’s PDPA identify key gaps and areas Assessment Tool For Organisations for improvement with respect (pdpc.gov.sg) to data protection. Use the relevant tools to address gaps after identifying them Refer to relevant Advisory Guidelines and Guides published by PDPC, as well as industry best practices 3. Incorporate data protection Adopt a Data Protection by Design good practices into business approach, including conducting Data processes, systems, Protection Impact Assessments (DPIA) products or services. for systems or processes that are new or undergoing major changes Ensure compliance to the PDPA and the organisation’s data protection policies - Use contractual clauses - Conduct checks on compliance to clauses Establish a process for data breaches by observing PDPC’s CARE framework and use an incident record log to document incidents and post-breach response 4. Establish risk monitoring and Manage risk through an enterprise risk reporting structure management framework with reporting mechanisms Conduct internal audits to monitor and evaluate the implementation of data protection policies and processes 41 3.3 Considerations for implementing a DPMP _________________________________________________________________________ 3.3.1 There is no ‘one-size-fits-all’ approach. Here are a few common considerations an organisations would need to look into: (a) to ensure that it has a ‘management sponsor’ of its DPMP – a management sponsor is a member of senior management (and is often the Chief Executive Officer, Executive Director, Country Manager or other leader of the organisation in Singapore) who is the ‘champion’ and driver of the DPMP and (i) who has the authority to make sure that adequate manpower and financial resources are dedicated to the DPMP initiative; (ii) who, with his/her involvement, is able to emphasise to staff within the organisation that the highest level of the organisation considers developing and implementing a DPMP a high priority for the organisation; and (iii) who generally oversees the DPMP project team to steer the overall DPMP development, completion, maintenance and regular review. This includes giving the DPO senior management support which is necessary to enable the DPO to ensure that all departments within the organisation that collect, use, disclose and store personal data are involved fully in developing the DPMP - in particular, to make final decisions about how the organisation will treat personal data protection related risks that it identifies; (b) to identify key stakeholders and to consider the extent to which they need to be brought into the DPMP process: it is important to recognise their diverse interests and to consider those diverse interests so that they do not pose resistance or obstacles to developing and implementing the DPMP successfully – employees are the most obvious stakeholder group and providing them at the outset with: (i) information about what the organisation is planning to do, why the organisation is planning to do it and what it will mean for their day-to- day work; and (ii) giving them an opportunity to ask questions and have them answered, are both of paramount importance for employee ‘buy-in’, together with giving them general information about the DPMP as it is developing and an opportunity to contribute to programme development so that they can develop a sense of ownership of the outcomes of the DPMP; (c) to leverage key functions and involve all departments that collect, use, disclose and/or store personal data to form a PDPA project team – that is, to decide which individual employees should be included to work on the DPMP and to 42 ensure that no key function or department is left out because successful implementation of a DPMP requires all functions to have input into the development and implementation of a DPMP and for all departments that collect, use, disclose and/or store personal data to be actively involved in developing and implementing it; (d) to develop an enterprise risk management framework which includes the conduct of risk assessments to identify and assess potential personal data protection related risks over the information life-cycle (that is, the collection, use, disclosure and storage of personal data) in a systematic and comprehensive manner. One way of identifying and assessing personal data protection-related risks include the conduct of a data protection impact assessment (see Chapter 8); (e) to develop controls (including technical, physical and administrative) to manage the personal data protection-related risks identified during the risk assessment process so that they are treated or mitigated in a manner that is appropriate to the circumstances of the organisation; and (f) to conduct data protection training to educate all staff, calibrating it to include details of processes and controls for those staff who handle personal data as part of their job duties – it will also be necessary to develop a plan for ongoing awareness training (because simply educating staff once is not sufficient) and for on-boarding training of new staff. 43 3.4 Addressing challenges in implementing DPMP _________________________________________________________________________ 3.4.1 For many organisations, SMEs in particular, achieving sales and profitability will be its main concern and priority versus a DPMP. Management may ask ‘Why should the organisation develop and implement a DPMP?’ The DPO will need to: (a) explain why developing and implementing a DPMP should be a priority; and (b) justify this priority status. For example, organisations can use a business case – likely a cost-benefit analysis – or the results of a data protection impact assessment or risk analysis 3.4.2 The DPO might explain the potential penalties if the organisation fails to comply with the PDPA – but an: (a) ‘it won’t happen to us’ mentality and (b) ‘we’ll deal with it if and when it happens’ attitude, are likely barriers to making a persuasive case about potential penalties. 3.4.3 The DPO will need to highlight the potential reputational and business loss if the organisation suffers a data breach. This may be subject to the prejudices mentioned above, but at least it ties in with the organisation’s main sales and profitability priorities. 3.4.4 The reality is that the DPO will need to prioritise and elevate the discussion about compliance with the PDPA by adding together: (a) their explanation about potential penalties for failing to comply; and (b) information about how soon the organisation will get a return on its investment (ROI) in compliance with the PDPA. 3.4.5 The DPO can also address these challenges by demonstrating the benefits of compliance with the PDPA to management. The benefits of gaining and nurturing the trust and confidence of stakeholders as a trustworthy and reputable organisation in terms of its handling of personal data locally and internationally include: (a) the customers or clients may purchase more or become repeat customers or clients. They may be willing to pay a higher price for the goods and services and may recommend the organisation to their friends and family; (b) members of the general public will be better disposed toward the organisation and may therefore be more inclined to become consumers of the organisation’s goods and services or may otherwise support the organisation and its business or mission; 44 (c) regulators and other government authorities who oversee an organisation that they trust will likely spend less time requiring the organisation to explain or account for its activities, saving valuable time of the organisation’s senior management and other organisational resources – the expense in terms of senior management time and distraction that results from a regulatory investigation should never be under-estimated; (d) professional organisations and associations may favour and support organisations in which they have confidence and they trust – for example, they might feature such organisations in their promotional literature and/or invite them to speak publicly on industry-related topics and issues, activities which lift the organisation’s profile and show it in a favourable light; (e) an organisation that is trusted by its employees and in which its employees have confidence are more likely to stay with the organisation for a longer period of time, resulting in the organisation gaining increasing benefits from the time and money invested in their training and their detailed knowledge of the organisation’s business or mission – they are also more likely to share positive word of mouth to friends and family on the organisation as a good place to work and with which they should do business; (f) an organisation that is trusted by potential associates and in which they have confidence is likely to have a larger and better quality of potential associates with which the organisation can choose to work in connection with their business or mission; (g) organisations obtaining services from third parties in relation to processing of personal data may be more inclined to select the data intermediary with established policies and processes for handling personal data due to increased levels of trust of, and confidence in the data intermediary; (h) trust and confidence are central to investment decisions so that gaining the trust of both existing and potential investors and nurturing their confidence in the organisation is key to a harmonious relationship between an organisation and its investors and potential investors – in addition, where investors trust an organisation and have confidence in it they are less likely to use valuable management time and resources by monitoring the organisation closely; and (i) if the media does not trust an organisation and have confidence in it media coverage will be, at best, either neutral or non-existent. The media may reflect the organisation poorly in opinion articles and reviews. On the other hand, an organisation that the media trusts and has confidence in is more likely to get good media coverage. 45 3.5 Establishing a Governance Structure _________________________________________________________________________ 3.5.1 Organisations would need to establish a governance structure to define values and identify risk with organisational leadership. The involvement and support of an organisation’s leadership is important in demonstrating commitment to personal data protection. The Senior Management of an organisation provides leadership via its various responsibilities, such as: (a) defining the strategic corporate values and principles to align data protection obligations and responsibilities within the organisation; (b) allocating resources (e.g. budget, manpower) to data protection; (c) appointing and empowering the Data Protection Officer (DPO); (d) monitoring and managing personal data protection risks as part of corporate governance (e.g. corporate risk management framework), and where relevant, reporting to the Board which typically oversees risk governance; (e) providing strategic guidance on the implementation of data protection initiatives; (f) approving the organisation’s Data Protection policies and Data Protection Management Programme (DPMP); (g) commissioning Data Protection Impact Assessments (DPIA) (h) advocating data protection training; (i) providing direction to DPO for the handling of major complaints and managing data breaches, including implementation of remediation plans; and (j) providing direction to DPO for communication and liaison with the Personal Data Protection Commission (PDPC). 3.5.2 Organisations should consider including personal data protection policies into its corporate governance policies. This will enable organisations to leverage on their corporate governance structures to monitor and manage personal data protection issues. 3.5.3 The senior management of an organisation should have an understanding of risks including personal data protection risks, and review the risks on a regular basis to take into consideration changes in business models, regulations, technology and other factors. 3.5.4 As part of corporate governance, organisations are encouraged to establish an enterprise risk management framework with monitoring and reporting mechanisms (i.e., regular risk reporting and internal audit) that addresses personal data protection 46 issues. Such a structure provides clarity on the direction and manner in which an organisation manages personal data protection risks, among others. 3.5.5 Organisations can refer to the Board Risk Committee (BRC) Guide developed by the Singapore Institute of Directors (available at https://www.eguide.sid.org.sg/index.php/board-guide/board-risk-committee-guide) for more information on the board’s oversight role of ensuring the adequacy and effectiveness of a company’s risk management and internal controls within the context of the business and regulatory environment in Singapore. 47 3.6 Getting started with the DPMP _________________________________________________________________________ 3.6.1 Organisations may consider the following four steps to help them formulate the DPMP: Identify, Identify PD Assess and Develop Maintain Handled Manage DPMP DPMP Risks 3.6.2 When management of an organisation has decided that the organisation should develop and implement a DPMP and has then established a PDPA Project Team (see 3.3.1(c)), the organisation should understand the personal data handling by the organisation and the flows of personal data. One method of doing that is to develop a data inventory map or data flow diagram – that is, an analysis of the data involved and data flows of the business processes of the organisation – that shows: (a) where and how the organisation collects personal data; (b) where it stores data; (c) how and why the organisation uses and discloses that personal data; and (d) when it ceases to retain that personal data and how it securely deletes or destroys it. 3.6.3 To identify personal data handling, some of the questions to be considered by the PDPA Project Team include: (a) What types of personal data does the organisation collect, use, disclose and store? For what purpose(s) does the organisation do so? (b) Unless an exception to consent applies in any particular circumstance, does the organisation obtain the consent of the relevant individual after notifying 48 them of the purpose for collecting their personal data? Does the organisation maintain a consent registry (see 3.6.6) to track such consents? (c) Where does the personal data flow within the organisation? Is it being used for the purposes for which the organisation collects and notifies the individual of? (d) To whom does the organisation disclose the personal data? Is such disclosure for the purposes for which the organisation collects and notifies the individual of? (e) Where does the organisation store the personal data that it collects and handles? Is that storage adequately secure? Does the organisation securely delete or destroy the personal data when it is no longer required by the organisation? (f) Does the organisation classify the personal data that is in its possession or under its control and, if so, how does the classification scheme work? 3.6.4 Once the handling of PD has been identified, management needs to identify, assess and manage personal data protection-related risks. (a) What are the risks related to poor data protection measures (that is, data breach, PDPA non-compliance and poor perception due to perceived unreasonable or improper handling of personal data? (b) What does the organisation need to start (or stop) doing with personal data to treat or mitigate the identified risks? What controls (see 6.3) should the organisation put in place to treat or mitigate risks related to poor data protection measures? (c) What data protection related risks are associated with data intermediaries or third parties handling the personal data under your organisation’s responsibility? What should be done to treat or mitigate them? 3.6.5 Organisations may also wish to adopt a risk register following their inventory mapping. The risk register should identify the risks associated with the nature of the personal data and the context in which it is used. In addition, organisations should consider existing whitelists of data which may be subject to more stringent regulation, for instance as highlighted in the Guide on Managing and Notifying Data Breaches Under The PDPA. 3.6.6 As a good practice, an organisation should develop and maintain a ‘consent registry’ to record consent provided by individuals to the organisation for the collection, use and disclosure of their personal data for a particular purpose. This could be a document for the organisation to demonstrate and verify that an individual has provided consent and for the organisation to have oversight of the consent provided, or withdrawn, by an individual. A sample of such a consent registry is available at https://www.pdpc.gov.sg/help-and-resources/2019/07/guide-to-developing-a-data- protection-management-programme/resources. 49 3.6.7 As an organisation updates its consent clauses, the consent registry can help to keep track of what is permitted for each version of the consent clause and the version of the consent clause that each customer has agreed to 3.6.8 An organisation should develop and implement a data classification policy (see 5.2) so that it can set the standard of protection that it wants to apply to various categories of data, including both commercial categories of data (such as its customer lists, its intellectual property and its business strategies and know how) and personal data in its possession or under its control. The classification level depends typically on the level of damage that would be likely to result from an unauthorised disclosure of that data. 50 3.7 DPMP with regard to data intermediaries _________________________________________________________________________ 3.7.1 All organisations, including data intermediaries, are encouraged to have a DPMP. 3.7.2 A data intermediary is an organisation that processes personal data on behalf of and for the purposes of another organisation. Common examples of data intermediaries include third parties that provide services such as payroll and human resource management, IT systems development and management, loyalty programme management and event management. 3.7.3 The only statutory data protection obligations imposed on a data intermediary that is acting pursuant to a contract which is evidenced or made in writing are the Protection Obligation and the Retention Limitation Obligation. In addition, where a data intermediary has reason to believe that a data breach has occurred which affects the personal data it is processing for another organisation, it must, without undue delay, notify the other organisation of the same. 3.7.4 An organisation has the same obligations under the PDPA in respect of personal data processed for its purposes by a data intermediary as it would have if the organisation processed the personal data itself. For example, if an organisation engages an outsourced payroll provider which processes personal data for the organisation’s purposes the organisation is responsible for that data intermediary’s acts and omissions that fail to comply with the PDPA. 3.7.5 Before engaging a data intermediary, an organisation should carry out sufficient due diligence to satisfy itself that the proposed data intermediary is capable of complying with the PDPA The due diligence that needs to be done depends on the circumstances, including the sensitivity of the personal data that the proposed data intermediary will process for the organisation. 3.7.6 When an organisation is engaging a data intermediary it should ensure that it has clear and specific clauses in relation to data protection in its written contract with the data intermediary. The PDPC has published a Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (available at https://www.pdpc.gov.sg/og). 3.7.7 In relation to contractual clauses, reference may be made to the Guide to Managing Data Intermediaries, specifically Annex B: Further Considerations on Developing Contract Clauses. 3.7.8 There are certain key considerations for organisations when outsourcing data processing activities to data intermediaries, in relation to, for instance: (a) Governance and Risk Assessment: The senior management of the organisation should have an understanding of the risks involved in outsourcing data processing activities, and establish relevant measures to mitigate the risks. At this stage, the organisation may conduct due diligence to ensure that 51 the data intermediary is able to meet its data processing requirements and provide the protection and care that is commensurate with the volume and sensitivity of the personal data that the data intermediary is to process; (b) Policies and Practices: The contract in place between the organisation and its data intermediary should set out clearly the obligations and responsibilities of all parties. The organisation could also establish standard operating procedures (SOPs) relating to operational procedures and reports (e.g. regular management reports and ad-hoc incident reports); (c) Service Management: Depending on the nature and extent of the outsourcing arrangement, the organisation may put in place monitoring and reporting structures to manage its data intermediary (e.g. periodic audits, on-site inspection, proper onboarding of data intermediary and training of its staff); and (d) Exit Management: The organisation should establish exit management plans for the conclusion of their engagement with data intermediaries to ensure business continuity and proper handling of personal data where they are no longer required for legal or business purposes. 3.7.9 For more details, please refer to the Guide to Managing Data Intermediaries (available at https://www.pdpc.gov.sg/og) published by the PDPC. 3.7.10 If by engaging the data intermediary or through the course of the engagement with the data intermediary personal data is transferred internationally, organisations should ensure that such transfers are done in compliance with the PDPA. 3.7.11 An organisation that provides data processing services (for example, payroll processing services, web hosting services and loyalty programme management services) competes with other organisations that provide the same service or services. The ability to demonstrate that it is both capable of complying with, and does comply with, the PDPA provides it with a competitive edge. 3.7.12 In this regard, such organisations may consider subjecting their data protection practices to regular reviews and validation, e.g. the Data Protection Trustmark (DPTM) Certification or other forms of certification. 52 Resources For Chapter 3 Overview - Data Protection Management Programme (DPMP) For further information to benchmarking existing personal data protection policies and practices see PDPC’s Guide to Developing a Data Protection Management Programme (DPMP Guide) (available at https://www.pdpc.gov.sg/og) For further information to relevant Advisory Guidelines and Guides published by PDPC, as well as industry best practices see PDPC’s PDPA Assessment Tool for Organisations (PATO) (available at https://www.pdpc.gov.sg/PATO) For further information to clauses for agreements see PDPC’s Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (available at https://www.pdpc.gov.sg/og) For further information to roles, responsibilities and key considerations for the organisation when engaging a data intermediary see the Guide to Managing Data Intermediaries (available at https://www.pdpc.gov.sg/og). 53

Chapter 3: Data Protection Management Programme (DPMP) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue