Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Accountability Obligation: What every Organization should know

Accountability Obligation
Organizations should take note of the Accountability Obligation to avoid breach and a hefty penalty

What every Organization should know about the Accountability Obligation

Every day, massive volumes of data are generated when consumers and businesses use the internet to conduct their business. Consumers are also becoming more skeptical about how businesses are utilizing and handling their personal data, and they place a higher value on trust and accountability than in the past.

Therefore, an organization must adopt an accountability-based strategy to manage personal data collected from clients to remain competitive. In turn, this will assist the organization in enhancing public trust, increasing business competitiveness, and providing better confidence to your clients, all of which are essential aspects of thriving in today’s digital economy.

Accountability Obligation

The Personal Data Protection Act (PDPA) establishes accountability as a core premise. This requires organizations to accept accountability for personal data in their possession or control.

To demonstrate that an organization is handling personal data responsibly, it must: 

(a) develop and implement data protection policies; 

(b) communicate and inform employees about these policies, as well as instill an organizational culture of responsibility through regular training and awareness programs; 

(c) appoint a Data Protection Officer (DPO) who is responsible for ensuring that the Organization complies with the PDPA. Additionally, make available to customers information about the data protection policies and practices; and

(d) adopt the processes and practices necessary to comply with the PDPA’s requirements. The Organization must be able to demonstrate that personal data is managed and safeguarded appropriately. This includes translating legal requirements into policies and practices, designing data protection into policies and practices, and implementing monitoring methods and controls to successfully execute policies and processes.

Above all, the Organization is accountable to regulatory authorities, business partners, and individuals who entrust the Organization with personal data.

The Accountability Obligation requires organizations to place reasonable measures and safeguards to protect personal data, and appoint a DPO.

Breach of Accountability Obligation by Nature Society (Singapore)

The recent incident involving the Nature Society (Singapore) underscores the importance of exercising the Accountability Obligation by the PDPA. After breaching the Accountability Obligation, Nature Society was made to pay a whopping S$14,000 fine. 

In this case, the PDPC was notified on November 06, 2020, that an online article reporting about hacked databases is being made available for downloads on several hacking forums and Telegram channels. Nature Society (Singapore) is one of the affected organizations.

The incident affected the personal data of 5,131 members and non-members who had created membership and user accounts on the Nature Society (Singapore) ‘s website. Upon investigation, it was revealed that the possible attack vector was is an SQL injection attack which led to personal data on the Organisation’s website database being accessed and exfiltrated by unknown parties.

With this Incident, Nature Society (Singapore) was made to pay a financial penalty of S$14,000 as it admitted that it did not designate a DPO, it failed to develop and implement any personal data protection policy prior to the incident, and it did not make reasonable security arrangements to protect the personal data on its website database.

We can get from this case the importance of an Organization’s active placement of the policies and safeguards to prevent any data breach in the future. This case also stresses the importance of appointing a DPO to make sure that such policies for healthy cybersecurity hygiene are in place to achieve the same goal. The PDPC laid down, in this case, an organization’s responsibilities as it plays a vital role in implementing and building a robust data protection framework.

How a DPO can help organizations

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity. 

For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam. 

DPOs complement the efforts of Organizations in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect the personal data of clients. DPOs play a crucial role when an organization is hit with phishing attacks as they ensure safeguards are put in place to combat it when it happens.

As a consumer who provides my very own sensitive information to each Organization I encounter or have a transaction with, I would feel safe if there is a requirement for an organization to take the collection, usage, and disclosure of my personal data seriously. 

This is why it is stressed by the PDPC under the PDPA for Organizations to make sure that policies surrounding data protection are held, safeguards surrounding it is put up, and that a DPO is appointed to oversee the cybersecurity hygiene of the Organization. 

Accountability in Four Easy Steps

While the PDPA contains mandatory accountability provisions, organizations should consider accountability mechanisms that go beyond basic compliance with the legislation.

Organizations can demonstrate accountability through the establishment of a governance structure and risk assessments, the development of management policies and practices for the handling of personal data, and the establishment of processes to operationalize them.

Step 1: Governance and Risk Assessment 

Effective accountability measures begin with the leadership of an organization and are guided by its corporate governance. The senior management of an organization should comprehend risks and conduct regular risk assessments in order to account for changes in business models, regulations, technology, and other factors. Thus, a critical step toward ensuring accountability is to incorporate personal data security into corporate governance.

 Step 2: Policies and Practices

As part of its corporate governance and risk management structure, an organization should adopt suitable data protection policies and practices and communicate them effectively to both external parties (e.g. vendors, customers) and internal stakeholders (e.g. employees).

Personal data protection, in particular, is the duty of every employee. It transcends roles, functions, and hierarchies and should be practiced by all levels of personnel (including volunteers and contract staff) as well as third-party service providers.

Having distinct internal rules and practices for specific areas will also help internal stakeholders understand their roles and duties when it comes to handling personal data on a day-to-day basis.

Step 3: Processes

Additionally, an accountable organization establishes effective processes for operationalizing its data protection rules across the data lifecycle (from collection to disposal of personal data) and across business processes, systems, products, and services.

To begin establishing particular processes, an organization should document its personal data flows to better understand how personal data is gathered, kept, utilized, disclosed, and archived/disposed. Following that, it should identify critical data security gaps and areas for improvement before adopting data protection practices into company processes, systems, goods, or services.

 Step 4: Review

Organizations should assess their data protection policies, methods, and processes on a regular basis to identify and resolve gaps. This will ensure that the Organization stays current with regulatory and technological advances and that data protection risks are managed successfully in a continuously expanding digital economy.

Also Read: Guarding against common types of data breaches in Singapore



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us