How Being Data Protection Trained Can Help With Job Retention
The Personal Data Protection Act 2012 (PDPA) is the data protection legislation in Singapore governing the collection, use and disclosure of individuals’ personal data by organisations. Prior to the enactment of the PDPA, Singapore did not have an overarching law governing the protection of personal data. The processing of personal data in Singapore is now regulated by a patchwork of laws including the common law, sector-specific legislation(s), various agency internal rules and the PDPA. These existing sector-specific data protection frameworks will continue to operate alongside the PDPA.
What are Your Business Obligations Under the PDPA?
1. Consent Obligation: your business can only collect, use and/or disclose the personal data of individuals who have consented to such collection, use and/or disclosure. Read more about the PDPA obligations in our other article here.
2. Purpose Limitation Obligation: your business can only collect, use and/or disclose personal data of individuals for the purpose(s) for which consent has been given by these individuals.
3. Notification Obligation: your business must inform individuals of the purpose(s) for which their personal data is being collected, used and/or disclosed.
4. Access and Correction Obligation: your business is obliged to provide information to individuals, upon request and as soon as reasonably possible, on:
- What personal data of theirs is in your business’s possession or under its control; and
- How such personal data has been used or disclosed within 1 year before the date of the request
Your business must also correct errors or omissions in the personal data that is in its possession upon request, unless it is reasonable to not make the correction.
5. Accuracy Obligation: your business must make reasonable efforts to ensure that the personal data collected by the business is accurate and complete, if the personal data is likely to be:
- Used by your business to make a decision that affects the individual to whom the personal data relates; or
- Disclosed by your business to another organisation
6. Protection Obligation: your business must put in place reasonable security measures to protect the personal data in its possession or control. This is to prevent risks such as the unauthorised access, collection, use and/or disclosure of such data.
7. Retention Limitation Obligation: your business should retain the personal data for only as long as is necessary for business or legal purposes.
8. Transfer Limitation Obligation: if your business is transferring the personal data overseas, such as storing the data in the cloud, ensure that the transfer meets the PDPA’s data protection requirements. This is to ensure that the data being transferred is offered a comparable level of data protection as is required by the PDPA.
9. Accountability Obligation: your business must implement the necessary policies and procedures to fulfill its PDPA obligations. It must make information about its Data Protection Officer’s business contact information and such policies and procedures publicly available.
Is appointing a DPO Mandatory under the PDPA?
Under the Personal Data Protection Act (PDPA), organisations (such as businesses) are required to appoint at least one individual as their Data Protection Officer (DPO) to ensure their compliance with the PDPA.
Your business’ DPO can be either an employee or a third-party. However, take note that your business is not exempted from fulfilling its data protection obligations just because you have appointed a DPO for it.
What are the Benefits of being Data Protection trained?
1. Documenting compliance activity
Documentation and audit are an important part of meeting your PDPA and GDPR (if applicable) compliance. If a breach does occur, you can show that you have taken the right steps to try and prevent it. This will help in any investigation of the breach and any subsequent fines.
2. General awareness of PDPA and cyber security
Being data protection trained will give employees a good overview of what the PDPA entails. It can also be tailored so that any specific requirements that involve a department, e.g. marketing, can be more deeply explored. Staff will be able to give their own insight into how to meet the requirements whilst minimising operational changes.
3. Reduced human error
Human error is a major factor in data protection. Research by WillisTowersWatson found that 90 percent of cyber insurance claims could be traced back to human error. Sending your employees for a PDPA compliance & awareness course, can help to reduce human error by educating your staff about where errors commonly happen and how to change the behaviour that leads to mistakes.
4. Meeting Individuals’ Personal Data Access Rights
Access rights are a fundamental aspect of the PDPA and GDPR and are covered by their respective obligations. They cover the right of the individual to know what is being done with their personal data. For example, what is the purpose of collecting the data, who it is shared with, what categories of data does it fall under, etc.? Often, these rights are first met by staff on the customer frontline.
5. Preventing a Data Breach Incident
By being data protection trained, employees play a crucial role by inculcating good data protection practices and cyber hygiene at the workplace on a daily basis. They also value-add by sounding off to management any current methods of handling personal data that may be deemed risky, overall strengthening your Organization’s data protection governance, and hence PDPA or GDPR compliance.
Every Organization needs a DPO and Data Protection trained personnel
An organization must appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers and employees.
Is it easier to find a new Job if you are Data Protection trained?
Most jobs seem to require a few years of experience, but the privacy profession is still relatively new, and getting this experience can be difficult because there are not many clear paths to entry. Once in the field, the demand is high for privacy professionals with experience.
Having an Edge above others and Value Adding to any Business
Every business needs to have some special angle, or some compelling value proposition in order to stand out. To be clear, that doesn’t just mean your prices. Your company needs to prove to prospective buyers that your solution is a better or right one. That’s where your competitive edge comes in.
Being data protection trained can help you with your job retention and essentially enable you to take on more responsibilities and in time, get a job promotion or seek a higher remuneration.
Mr. Alvin Decruz is the Head of Engineering of theAsianparent, the largest online parenting community platform in Southeast Asia that reaches 35 million users monthly.
Alvin (along with other theAsianparent employees) attended Privacy Ninja’s PDPA training, where he was appointed as the company’s in-house Data Protection Officer. The training and audit conducted for the company helped him gain better insights on personal data protection governance and facilitated their PDPA compliance.