What every Organization should know about the Accountability Obligation
Every day, massive volumes of data are generated when consumers and businesses use the internet to conduct their business. Consumers are also becoming more skeptical about how businesses are utilizing and handling their personal data, and they place a higher value on trust and accountability than in the past.
Therefore, an organization must adopt an accountability-based strategy to manage personal data collected from clients to remain competitive. In turn, this will assist the organization in enhancing public trust, increasing business competitiveness, and providing better confidence to your clients, all of which are essential aspects of thriving in today’s digital economy.
The Personal Data Protection Act (PDPA) establishes accountability as a core premise. This requires organizations to accept accountability for personal data in their possession or control.
To demonstrate that an organization is handling personal data responsibly, it must:
(a) develop and implement data protection policies;
(b) communicate and inform employees about these policies, as well as instill an organizational culture of responsibility through regular training and awareness programs;
(c) appoint a Data Protection Officer (DPO) who is responsible for ensuring that the Organization complies with the PDPA. Additionally, make available to customers information about the data protection policies and practices; and
(d) adopt the processes and practices necessary to comply with the PDPA’s requirements. The Organization must be able to demonstrate that personal data is managed and safeguarded appropriately. This includes translating legal requirements into policies and practices, designing data protection into policies and practices, and implementing monitoring methods and controls to successfully execute policies and processes.
Above all, the Organization is accountable to regulatory authorities, business partners, and individuals who entrust the Organization with personal data.
Breach of Accountability Obligation by Nature Society (Singapore)
The recent incident involving the Nature Society (Singapore) underscores the importance of exercising the Accountability Obligation by the PDPA. After breaching the Accountability Obligation, Nature Society was made to pay a whopping S$14,000 fine.
In this case, the PDPC was notified on November 06, 2020, that an online article reporting about hacked databases is being made available for downloads on several hacking forums and Telegram channels. Nature Society (Singapore) is one of the affected organizations.
The incident affected the personal data of 5,131 members and non-members who had created membership and user accounts on the Nature Society (Singapore) ‘s website. Upon investigation, it was revealed that the possible attack vector was is an SQL injection attack which led to personal data on the Organisation’s website database being accessed and exfiltrated by unknown parties.
With this Incident, Nature Society (Singapore) was made to pay a financial penalty of S$14,000 as it admitted that it did not designate a DPO, it failed to develop and implement any personal data protection policy prior to the incident, and it did not make reasonable security arrangements to protect the personal data on its website database.
We can get from this case the importance of an Organization’s active placement of the policies and safeguards to prevent any data breach in the future. This case also stresses the importance of appointing a DPO to make sure that such policies for healthy cybersecurity hygiene are in place to achieve the same goal. The PDPC laid down, in this case, an organization’s responsibilities as it plays a vital role in implementing and building a robust data protection framework.
How a DPO can help organizations
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam.
DPOs complement the efforts of Organizations in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.
As a consumer who provides my very own sensitive information to each Organization I encounter or have a transaction with, I would feel safe if there is a requirement for an organization to take the collection, usage, and disclosure of my personal data seriously.
This is why it is stressed by the PDPC under the PDPA for Organizations to make sure that policies surrounding data protection are held, safeguards surrounding it is put up, and that a DPO is appointed to oversee the cybersecurity hygiene of the Organization.
Accountability in Four Easy Steps
While the PDPA contains mandatory accountability provisions, organizations should consider accountability mechanisms that go beyond basic compliance with the legislation.
Organizations can demonstrate accountability through the establishment of a governance structure and risk assessments, the development of management policies and practices for the handling of personal data, and the establishment of processes to operationalize them.
Step 1: Governance and Risk Assessment
Effective accountability measures begin with the leadership of an organization and are guided by its corporate governance. The senior management of an organization should comprehend risks and conduct regular risk assessments in order to account for changes in business models, regulations, technology, and other factors. Thus, a critical step toward ensuring accountability is to incorporate personal data security into corporate governance.
Step 2: Policies and Practices
As part of its corporate governance and risk management structure, an organization should adopt suitable data protection policies and practices and communicate them effectively to both external parties (e.g. vendors, customers) and internal stakeholders (e.g. employees).
Personal data protection, in particular, is the duty of every employee. It transcends roles, functions, and hierarchies and should be practiced by all levels of personnel (including volunteers and contract staff) as well as third-party service providers.
Having distinct internal rules and practices for specific areas will also help internal stakeholders understand their roles and duties when it comes to handling personal data on a day-to-day basis.
Step 3: Processes
Additionally, an accountable organization establishes effective processes for operationalizing its data protection rules across the data lifecycle (from collection to disposal of personal data) and across business processes, systems, products, and services.
To begin establishing particular processes, an organization should document its personal data flows to better understand how personal data is gathered, kept, utilized, disclosed, and archived/disposed. Following that, it should identify critical data security gaps and areas for improvement before adopting data protection practices into company processes, systems, goods, or services.
Step 4: Review
Organizations should assess their data protection policies, methods, and processes on a regular basis to identify and resolve gaps. This will ensure that the Organization stays current with regulatory and technological advances and that data protection risks are managed successfully in a continuously expanding digital economy.