Facts About Accountability PDF That You Need to Know About
Organisations today operate in an increasingly connected and competitive digital economy where individuals’ online and real-world activities generate a burgeoning amount of data. In such a competitive and evolving business environment, a “checkbox” compliance approach towards the handling of personal data is increasingly impractical and insufficient to keep pace with the developments in data processing activities.
Accountability PDF in relation to personal data protection is the undertaking and demonstration of responsibility for the personal data in the organization’s possession or control. As a principle in personal data protection frameworks, accountability PDF was first introduced in 19802 by the OECD and has since gained traction internationally. For example, accountability PDF is one of the key principles highlighted under the APEC Privacy Framework. Accountability PDF is also one of the obligations in the European Union General Data Protection Regulation (“GDPR”).
Accountability PDF is a fundamental principle of the Personal Data Protection Act (“PDPA”),5 which requires organizations to ensure and demonstrate compliance with the PDPA. Collectively, sections 11 and 12 of the PDPA form the accountability PDF obligation under the PDPA. First and foremost, an organization is responsible for the personal data in its possession or under its control. Each organization is required to:
- Develop and implement policies for data protection;
- Communicate and inform their staff about these policies; and
- Implement processes and practices that are necessary to meet their obligations under the PDPA.
Accountability PDF Policy
Good accountability PDF practices begin with an organisation’s leadership, and is directed through its corporate governance and policies. A key step to ensure a commitment to accountability PDF is to embed personal data protection into corporate governance as the involvement of the senior management is crucial.
Responsibilities of senior management include the following:
- Appointing a Data Protection Officer (“DPO”),10 preferably from senior management,11 who can effectively direct and oversee data protection initiatives. The DPO will be supported by representatives from various organisational functions.
- Endorsing the organisation’s data protection management program that is developed to address and suit the business needs of the organisation.
- Monitoring and managing personal data protection risks by establishing an enterprise risk management framework with effective reporting mechanisms (i.e. regular risk reporting and internal audit) that addresses personal data protection issues.
- Communicating the organisation’s approach to handling personal data throughout the organisation.
What accountability PDF can do to the people?
Personal data protection is the responsibility of every employee, and
not only limited to appointed data protection representatives of the
organisation. It cuts across roles, functions and hierarchy and should
be practiced by staff (including volunteers and contract staff) at all
levels of the organisation as well as third-party service providers.
Accountability PDF Processes
An accountable organisation not only develops and communicates
its data protection policies, but also puts in place effective processes
to operationalize its data protection policies throughout the data
life cycle (i.e. from collection to disposal of personal data) and across
business processes, systems, products or services.
Accountability PDF Tools
To provide practical assistance and help organisations put
accountability PDF into practice, the PDPC has developed and promoted
the adoption of accountability PDF tools, such as the DPMP, risk and
impact assessments (e.g. DPIA) and gap analysis assessments (e.g.
PATO) for organisations.
Accountability PDF practices have enabled the development and implementation of a number of initiatives to support commerce between or with accountable organisations. Organisations may choose to engage an independent third party assessor to certify their data protection policies and practices through the Data Protection Trustmark (“DPTM”) Certification.