Knowing PDPA policy and its strategies to boost data protection in the workplace
Since the Personal Data Protection Act (PDPA) went into full effect on July 2, 2014, organisations in Singapore have been reviewing their data protection policies and practises to make sure they are in line with the new law. These organisations ensure that in the collection, use, and disclosure of personal data within the organisation, there will be no instance of accidental breach or any instance of the personal data being held hostage by bad actors.
Personal data is considered digital gold in today’s time. It has become so valuable that bad actors are on the run, trying to pry organisations and infiltrate their systems just to get a hold of them. Since these bad actors are on the rise, the PDPA is put in place to ensure that organisations will never become complacent with their policies which, when breached, could result in a hefty financial penalty.
Also Read: Data governance framework: What organisations in Singapore should know
What is the PDPA all about?
When it comes to data breaches within any given organisation, the PDPA is the Singapore Government’s main shift toward transparency. The PDPA’s central focus is mandatory data breach reporting, which will result in a fundamental paradigm shift in how every organisation in Singapore operates in terms of data protection and security.
With the PDPA, Singapore’s Personal Data Protection Commission (PDPC) is developing guidelines and rules to encourage all Singapore-based organisations to implement risk-based internal monitoring of their data security systems and to be more open about any and all data breaches.
Such openness and transparency mean every individual or other organisation will know what to do and how to act when there has been a breach of personal data. With the PDPA, every organisation is compelled to report to the PDPC and inform those affected for a prompt response.
Strategies to boost data protection
In the workplace, personal data must be handled with diligence. All personal data, such as the information of guests, must be treated with care. Whenever possible, access to these personal data must be limited, and it must be stored in a secure place with a log of those who enter it. As must as possible, only authorized personnel with the highest clearance can only enter the room. Ideally, access to such personal data must only be allowed on need-to-know bases.
Installing protection software
With regards to the digitised personal data handled by the organisation, installing software like anti-spyware, anti-virus, and personal firewall can help limit any unauthorised access of bad actors over the servers and databases of the organisation.
When it comes to electronic files, passwords are often the main way to protect them and control who can access them. In general, passwords should have at least eight letters, numbers, and special characters, including both uppercase and lowercase letters, numbers, and special characters. Another important ways to protect a password are to make sure it is not saved on the computer or written down in a place where someone else can easily find it.
Employees are considered the weakest list to an organisation’s healthy cybersecurity. Since employees have access to the organisation’s inner workings with their account and passwords, it is important to incorporate the following practices:
- Regularly changing the password
- Putting a limitation for a failed log-in attempt and locking the account when the limit has been reached
- Hiding the password characters when the employee is keying them in
Proper disposal of personal data that is no longer needed
One way for an organisation to decrease the amount of personal information it has to protect is to regularly check if the information is still needed and set a time limit for how long it will be kept. Personal data that is no longer needed should be disposed of, but it should be done in the right way.
Personal data can be obtained by going through the trash, called “dumpster diving.” This is a common way to get personal information. Bad actors could use the information to get into the network of an organisation.
To stop this from happening, businesses should have a good way to get rid of confidential documents that they no longer need. This can be done by:
- Using special software to erase files or whole storage drives.
- Using special equipment like degausser machines to get rid of data that has been stored magnetically or simply a paper shredder.
- Getting rid of any printouts or faxes that contain personal information that hasn’t been picked up.
The PDPA and its policies are put in place to protect both the organisation and its customers from any bad actors that go beyond the usual data stealing. It’s on building trust that any customer’s data will be safe at any given time. Organizations must uphold the PDPA not just to avoid a hefty financial penalty but also to build the organisation’s image that they can
Also Read: Revised Technology Risk Management Guidelines of Singapore