It’s time to dive deeper into one of the 10 steps listed on the PDPA’s checklist!
In this blog post, we will spotlight step #5 on the PDPA checklist, “Secure the personal data held by organizations.”
This item means that businesses under the PDPA regulation must take reasonable steps to prevent unauthorized access, use, collection, and/or disclosure of personal data.
Many organizations in Singapore have faced problems of non-compliance with PDPA due to a lack of training offerings. For example, the Personal Data Protection Commission (PDPC) issued a warning to an organization because they did not train their employees to protect personal data, as reported in the Hazel Florist Case.
As a Data Privacy Officer, or any member tasked with leading PDPA compliance, it is important to reinforce that ensuring compliance with PDPA is not only your teams’ responsibility but everyone’s. All non-IT employees in your organization are also accountable for complying with PDPA, as different departments in your company have access to internal and external personal data.
How to Secure Personal Data Held by the Organization
Before we start, it’s important to clarify that step 5 of the PDPA checklist must be accomplished on two levels: employee level and organization level. Below is a detailed list of what employees and organizations must do to comply.
Organizations must take the following actions to ensure PDPA compliance at the employee level:
- Data encryption and password protection for any personal data held in an electronic/digital format.
- Ensuring regular backup of the information on computer systems and keeping the backups in a separate location.
- Proper disposal/deletion of personal data that is no longer needed or upon completion of its business purpose.
Organizations must take the following actions to ensure PDPA compliance at the organization level:
- Installing firewalls and virus-checking software on electronic devices held by the staff of an organization.
- Locking portable computing devices when not in use or attaching them to a fixture by a security cable.
- Installing screensavers on computer screens to lock automatically when left unattended for a specified period of time.
- Restrict the use of external devices on all company-issued computers to authorized persons only.
- Restricting access to sensitive and confidential documents on a need-to-know basis, only to authorized persons.
- Using privacy filters and other means to prevent unauthorized access.
- Files containing personal data should not be made available online.
- The appointed software developers must be aware of ICT security threats and must be capable to design and maintain ICT systems with the capacity to protect stored personal data.
How to communicate these actions with everyone?
The items listed above might sound familiar to your IT team, but how can you spread the word to all other business units?
Your best ally in achieving these PDPA requirements at the employee level is to provide education and training regularly.
Your organization must also ensure to communicate all data protection policies, practices, and processes to employees. It is the responsibility of an organization to ensure that the employees are well-versed with such corporate policies.
Employees have a lot on their plates and might not be familiar with the importance of data protection. Informing them about IT policies and providing traditional cybersecurity training on these topics might not be the best solution, as these two processes can be long, tedious, and not effective.
Instead, IT and Compliance teams might try to find a solution that helps them increase policy awareness and drive behavior change for corporate policies. The main idea is to develop a policy awareness training program that is engaging and easy to digest and retain. Applying gamification can also help employees to observe these rules more effectively.
How to Ensure My Employees Aligned with PDPA?
Organizations must provide training on PDPA to their staff to avoid financial and reputational damages. You can read more about it in our blog post “The Cost of Non-Compliance with PDPA & Why it Matters.”
Right-Hand’s Compliance Readiness solution contains a Machine Learning engine that automates and customizes compliance teams’ ability to develop, store, disseminate, increase awareness and drive behavior change for corporate policies. By also incorporating a gamified and bite-sized training approach, Compliance Readiness will help your Data Protection Officer (DPO) save time and resources when dealing with the PDPA regulations.
Schedule a demo below and let us help you automate your policy compliance processes!
DISCLAIMER: The information provided by Right-Hand is for general information purposes only to permit you to learn more about our products and services. It is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes. The information provided is accurate and useful to the best of our knowledge. However, the information may not be current and is subject to change without notice. No one should act, or refrain from acting, based solely upon the information provided herein without first seeking appropriate legal or other professional advice. No attorney-client or confidential relationship exists or will be formed between you and Right-Hand or any of our representatives.