Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Expedited Data Breach Decision: PDPC Guide on Active Enforcement

Expedited Data Breach Decision
The PDPC may consider an Expedited Data Breach Decision if the organizations involved makes an upfront admission of culpability for its role in causing the breach.

Expedited Data Breach Decision: PDPC Guide on Active Enforcement

The Personal Data Protection Commission (PDPC) published a Guide on Active Enforcement on May 22, 2019, signaling a shift in how the PDPC will approach enforcement actions in the future.

There are three primary enforcement tactics under the present approach outlined in the Advisory Guidelines on the Enforcement of Data Protection Provisions. When appropriate, PDPC could use alternative dispute resolution processes such as mediation and assisted negotiations in resolving what appears to be primarily a dispute between the parties. In the alternative, the PDPC could launch investigations, which would entail the PDPC using its statutory powers of investigation under the PDPA to gather facts and make a conclusion. Finally, if the organization has judged personal data access and/or correction, the PDPC may review that decision.

Voluntary undertakings and accelerated decisions are two more intermediate enforcement methods described in the Guide that may be pursued in lieu of a full investigation. Previously, neither the Guidelines nor the PDPA specifically stated this. The Guide explains the extent of these additional alternatives as well as the situations in which the PDPC will use either enforcement option when investigating a breach.

This update is for organizations that want to better understand the new enforcement alternatives that have become available and the procedures that should be performed ahead of time to preserve the opportunity for an organization to seek an undertaking.

Also Read: Guarding against common types of data breaches in Singapore

The PDPC published a Guide on Active Enforcement signaling a shift in how the PDPC will approach enforcement actions in the future.

Undertaking 

An undertaking is a written commitment made by the organization to the PDPC that voluntarily commits the organization to correct the violations and take actions to prevent future occurrences.

In most cases, an undertaking is available when:

1. It delivers a similar or better enforcement outcome for the PDPC than a comprehensive investigation; or

2. The organization can demonstrate that it has accountable data privacy practices in places, such as a Data Protection Trustmark (Trustmark) and an effective repair plan that it is ready to apply. 

Steps to reduce the occurrence of the incident and the development of monitoring and reporting mechanisms, audits, and policy/process evaluations should be included in the remediation plan.

A typical undertaking will include a summary of the data breach incident as well as efforts to notify and minimize harm to the impacted individual(s). The PDPC also expects the organization to have executive-level support for the undertaking, which requires the undertaking to be signed by the CEO or someone of equivalent status.

The Guide also includes examples of situations in which the PDPC will not accept an undertaking request. For example, the PDPC will not accept an undertaking request if the organization denies responsibility for the data breach occurrence, refuses to accept the undertaking’s terms and conditions or agrees to the undertaking’s publication. In particular, a request for an undertaking must be submitted immediately after the investigation begins, and the organization must have a remedial plan ready. The PDPC will not accept a request for an endeavor that necessitates more time to develop a remedial plan.

The Guide also includes examples of situations in which the PDPC will not accept an undertaking request.

Of the two conditions in which an endeavor is a realistic alternative, the second is partly within the organization’s control and can be planned for. This necessitates that organizations be prepared to demonstrate excellent accountable privacy policies ahead of time. Organizations that have conducted scenario planning and exercises to respond to data breach situations will be better positioned to produce a remediation plan when investigations begin quickly. Organizations that have gone the extra mile to achieve a Trustmark certification are also in a better position to seek a project.

This highlights the necessity of having documented protocols in place and organizational preparedness in dealing with possible data breach situations.

Expedited Data Breach Decision 

The PDPC may consider an expedited determination if the organization(s) involved makes an upfront admission of culpability for its role in causing the breach. The organization must submit a written request to the PDPC and provide and admit all information pertinent to the data breach occurs. In general, the PDPC will consider an accelerated decision if the breach involves the failure to designate a data protection officer or establish a privacy policy or if the nature of the data breach is similar to precedent instances with similar factual categories.

An accelerated decision shortens the time it takes to complete an investigation. Although the PDPC will still issue a full judgment (including the applicable directives), admitting guilt will be a significant mitigating if financial penalties are involved.

When a data breach has a substantial impact, the PDPC will normally initiate a complete investigation right away.

Full Investigation Process 

When a data breach has a substantial impact, such as when a large number of people are affected and the personal data released potentially cause considerable harm, the PDPC will normally initiate a complete investigation right away. Investigations that have been determined to have a low impact may be terminated.

If the PDPC finds a violation, the PDPC may impose: (i) a warning; (ii) just directions; (iii) only financial penalties; or (iv) both directions and financial penalties.

Also Read: What you need to know about appointing a Data Protection Officer in Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us