PDPC Data Intermediary: Guidelines for businesses to know

The Personal Data Protection Act (PDPA) underlines the necessary requirements and critical considerations for organizations, such as Data Controllers (DC). They outsource data processing operations to other entities, such as Data Intermediaries (DI). 

With this, customers trust DCs who assure accountability through their management of Data Intermediaries, and their businesses become more competitive. 

When processing data on behalf of a DC, Data Intermediaries must guarantee compliance with their duties under the PDPA and follow the best practices.

Also Read: PDPA compliance for real estate agencies

Data Intermediary (DI) Management Lifecycle

Organizations frequently outsource data processing tasks to Data Intermediaries in today’s data-driven economy. Organizations should assure accountability by referring to the significant factors outlined in the DI Management Lifecycle and the rules beneath it for companies to know to give consumers confidence and improve their company competitiveness.

The Guide to Managing Data Intermediaries cover the DC and DI’s duties, responsibilities, and critical considerations as they relate to the Data Intermediary Management Lifecycle, which includes (A) Governance and Risk Assessment, (B) Policies and Practices, (C) Service Management, and (D) Exit Management.

A) Governance and Risk Assessment

At this stage of the PDPC Data Intermediary Management Lifecycle, the DC’s roles and responsibilities include: 

• Begin with the organization’s leadership and governance structure. Decisions to outsource data processing activities and the scope of such data processing activities should be determined by the senior management of the DC. 
• Have an understanding of the risks involved in outsourcing data processing activities. This entails identifying and assessing the personal data risks on a regular basis and establishing the relevant measures covered in this Guide. 

Roles and responsibilities: 

• Establishing the business objectives and requirements for 
• the proposed data processing outsourcing; 
• Determining the scale of outsourcing and the sensitivity of personal data that will be processed; 
• Identifying the potential high-level risks that are relevant to establishing the evaluation and selection criteria for the DI; 
• Identifying requirements that can be set out in the contract with the DI. 
• Determine the specific policies and practices for managing the processing activities carried out by the DI. 
• Ensure that the DI selected is able to meet the data processing requirements and provide the protection and care that is commensurate with the volume and sensitivity of the personal data. 
• Be satisfied that the DI has the necessary data protection framework. 

 For complex data processing activities:

• Consider engaging Data Intermediaries that have obtained the Data Protection Trustmark (“DPTM”) Certification or other forms of certification. 

In general, a thorough grasp of the roles and duties will aid in the development of particular policies and procedures for the DI’s data processing operations.

B) Policies & Practices 

The DC’s DI management will be shaped by its business objectives, data processing requirements, and data processing risks. This section explains how various data protection rules and procedures work and how they should be conveyed to personnel that manages the DI internally.

At this stage of the DI Management Lifecycle, the DC’s roles and responsibilities include: 

• Communicate clearly with the DI on areas such as the scope 
• of outsourcing and their personal data protection requirements. 
• Have a binding contractual agreement that sets out the obligations and responsibilities of all parties. 
• Take reasonable steps (such as having project documentation) to communicate specific requirements and ensure that the DI understands its obligation. 
• Tailor operational procedures to the scope of the outsourcing arrangement. 
• Approve the final operational procedures and any significant changes. 

For complex data processing activities

• Consider and review details like the schedules to the contract and other administrative instructions outside the contract. 
• Put in place appropriate standard operating procedures (SOPs) for the Data Intermediaries for reporting (regular management report and ad-hoc incident report) and operational procedures. 
• Define the format and frequency of the reports from the DI. 
• Surface management reports regularly to provide the DC’s management with the information to monitor and manage business operations. 
• Put in place an escalation process and a reporting chain for incident reporting for ad hoc events. Additionally, in the event of a data breach, DCs could put in place drawer plans for their Data Intermediaries to take remedial actions to address the data breach. 

C) Service Management 

• In order to manage its DI, a responsible DC not only establishes and publishes its data protection rules but also implements monitoring and reporting procedures.
• Given the DIs’ closeness to and technical skill in carrying out the essential data processing operations, proactive monitoring is a good technique for Data Intermediaries to secure personal data and identify any unwanted access.
• At this stage of the DI Management Lifecycle, the DC’s roles and responsibilities include: 
• Have a kick-off meeting to brief key members of the DI’s 
• project team. 
• Have the appropriate level of representation from the DC and DI in meetings. 
• Conduct ad-hoc meetings as and when necessary to address data protection issues in a timely manner. 

For complex data processing activities 

• Develop an on-boarding process to brief key members of the DI’s project team on the business requirements, policies, practices, standard operating procedures, and the roles and responsibilities of the DI. 
• Conduct regular meetings with key members of the DI’s data processing team. 
• Use the briefing to key project team members to form the basis for the structured training to be conducted. 
• Include the appropriate frequency, target audience, and training platforms to develop the right corporate culture towards data protection. 
• Consider proactive monitoring by having the DI document through document database logs and system logs and monitoring access to identify possible unauthorized access or disclosure, particularly if the DI uses several systems or databases to store or process large amounts of personal data. 
• Consider conducting audit exercises, requesting an independent audit report, or having on-site inspections to verify that the DI is delivering the agreed services according to the policies, practices, and SOPs. 
• Consider simulations and table-top exercises to test out the effectiveness of ad-hoc incident reporting and remediation plans. 

D) Exit Management 

At this stage of the DI Management Lifecycle, the DC’s roles and responsibilities include: 

• Establish exit management plans to conclude the engagement with Data Intermediaries to ensure business continuity and proper handling of personal data. 
• Establish clear time frames for the DI to cease retaining the personal data after it has completed the data processing activities. 
• Include the requirement for Data Intermediaries to ensure that all work done is fully documented and that all documentation is handed over to the DC. 
• Conduct exit audits and checks to ensure that the DI abides by the agreed plans. 
• Ensure that any data migration or transfers of data from one DI to another is done in a secure manner in the event of a change in DI. 
• Follow through with the same steps of the DI Management Lifecycle. 

Based on the data protection risk, organizations should evaluate the right actions to take. In general, while choosing the right actions to take, organizations should evaluate the scope of the outsourcing and the sensitivity of the personal data that their DI is processing, as well as the duration of the DI contract period.

Also Read: November 2021 PDPC Incidents and Undertaking: Lessons from the Cases