Organisations vs Data Intermediaries: What their difference is and why it matters
Singapore’s Personal Data Protection Act (PDPA), like all other data protection and privacy laws, makes a distinction between two different types of companies: organisations (commonly referred to as “controllers” under other laws) and data intermediaries (commonly referred to as “processors” under other laws).
Organisations and data intermediaries have extremely diverse data protection responsibilities because of the very different roles they play in handling an individual’s personal data.
Under the PDPA, a data intermediary is an organisation that manages personal data “on behalf of another organisation. As a result, data intermediates process data on behalf of other organisations, frequently their business customers, rather than on their own behalf. It is crucial that consumer-facing rules are not directly applied to data intermediaries in that capacity because they frequently do not interact with individuals directly.
However, contractual data protection duties often impose restrictions on how and when data intermediaries can access personal data for processing purposes.
Why is the Organisation/Intermediary difference important?
Distinguishing organisations from data intermediaries ensures that data protection rules apply requirements that match a company’s role in managing personal data. The difference protects individuals’ personal data without posing new privacy or security issues. Here are two concrete examples:
- Responding to Requests for Access and Correction: The PDPA requires organisations to respond to access and rectification requests, but does not force data intermediaries to do so. This is not without reason. Responding to requests to access or correct personal data necessitates knowledge of the data’s contents.
Organisations typically engage with individuals and decide when and why to gather data, so they are in a good position to make that decision. Data intermediaries, on the other hand, frequently lack visibility into the data they process on behalf of a company and may even be contractually forbidden from viewing it. Furthermore, a data intermediary may not know if there is a cause to decline a request, such as when a request for access to personal data is excessive or may reveal the personal data of another individual.
Forcing data intermediaries to respond directly to requests for access to and correction of personal data may thus pose both security and privacy problems (by requiring them to send data to individuals they do not know) (by requiring them to look at data they otherwise would not).
- Data Security: In contrast to individual-facing requirements, like the responsibility to honor access and correction requests, all enterprises should have obligations to secure the personal data they process. The Protection and Retention Limitation responsibilities are applied to both organisations and data intermediaries under the PDPA. Both sorts of businesses should take reasonable and acceptable security precautions.
How should organisations and Data Intermediaries fulfill their obligations?
The first step is to determine whether your company works as an organisation or a data middleman.
In some circumstances, a corporation may serve in both capacities for various sorts of processing activities. A firm that operates as a data intermediary and processes data on behalf of its business customers, for example, may also act as an organisation for its own internal processing activities, such as processing personnel data.
To establish and execute appropriate privacy compliance standards, it is critical to first understand whether your company performs its processing activities as an organisation or as a data intermediary.
What Organisations and Data Intermediaries should know
Contractual commitments can be used to execute compliance measures for both organisations and data intermediaries in various circumstances.
Before engaging in a contractual partnership, both parties should ensure that the organisation’s and data intermediary’s duties and obligations are well-established and commensurate with the respective responsibilities of the organisation and data intermediary under the PDPA.
How a DPO enters into the picture
Companies of all sizes must understand the distinction between organisations and their data intermediaries in order to guarantee that their compliance processes are appropriate, but this alone is not enough.
The commonality between these two companies lies in the personal data of individuals, and the PDPC has never been lenient when it comes to noncompliance with the PDPA, especially if there has been a breach of personal data. This is shown in the case of Fying Cape. If it weren’t for the low number of affected individuals, it could have suffered a hefty financial breach.
In any other case, once a breach has occurred, the PDPC will not hesitate to impose hefty financial penalties to ensure that this incident will not happen again, which will range up to S$1,000,000. This is where a DPO comes in.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.
Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.