Helping SMEs to improve personal data protection

Training of data protection officers (DPOs), capability development and best practice guidance: these are some of the areas where the Personal Data Protection Commission (PDPC) is helping organisations — especially small and medium enterprises (SMEs) — to better equip themselves with good personal data management and security practices.

These measures will help them to seize the opportunities of the data-driven digital era.

Speaking at the opening of the fourth Personal Data Protection Seminar organised by the PDPC, Minister for Communications and Information, Dr Yaacob Ibrahim, said new technology developments enable businesses to better understand consumer preferences at a deeper and more personal level through the use of data.

This translates to more customised products, better marketing and loyalty programmes and smoother delivery of services.

However, to seize these opportunities, businesses need to ensure that that their customers feel safe interacting and transacting with them.

“It is no longer an option to treat data protection as an afterthought,” said Dr Yaacob.

Instead, businesses should adopt data protection by design and make data protection a key consideration when building their business structures and systems.

Dr Yaacob cited online grocery service provider RedMart, an online grocery service provider, as an example of an SME that has designed its operations around personal data protection.

Only relevant personal data is disclosed for each stage of order processing and when a delivery representative needs to contact a customer, the call will be made through its mobile app without revealing the customer’s phone number to the delivery representative.

The Data Protection by Design approach also requires organisations to ensure that employees are aware of the need for personal data protection, and also make arrangements train them to take responsibility for the safeguarding ofcustomers’ personal data.

DPOs, which are mandatory under the Personal Data Protection Act (PDPA), play an important role in this respect.

Training and Guides

They not only help to ensure that their organisations have proper processes in place for data protection, but also help to share best practices with their colleagues on how to manage and make best use of data to improve operations or to seize new business opportunities.

To support the training of DPOs, PDPC is working with the Workforce Development Agency (WDA) to enhance its two-day Business Management Workforce Skills Qualification (WSQ) PDPA course.

Besides including additional topics on international data protection frameworks, data breach management and enforcement, the enhanced course will focus on developing the practical skills of DPOs through rigorous assessments and in-class participation.

The enhanced WSQ course will serve as a foundation for the eventual professionalisation of DPOs.

PDPC is also working with SPRING Singapore to help SMEs tap on the SPRING Capability Development Grant to improve their data and business risk management capabilities. This will enable companies to defray up to 70 percent of qualifying costs such as consultancy and training, assessments and audits, and adoption of data protection software solutions.

To promote the sharing of best practices, PDPC has issued new guides offering practical advice on building websites and IT vendor management, as well as sample contractual clauses that can be included in the agreements with vendors.

A third guide educates organisations on ways to dispose of physical media such as paper which contain personal data.

PDPC has also updated the existing guide on securing personal data in electronic medium to include new chapters on cloud computing, IT outsourcing and security patching, and revised several advisory guidelines to provide further clarity on access requests and withdrawal of consent.

“Through these guides and advisory guidelines, we hope to drive a shift of mindset from compliance to accountability, and for organisations to take it upon themselves to foster a trustworthy data ecosystem that is conducive for innovation and data use,” said PDPC Chairman Mr Leong Keng Thai.

The annual Personal Data Protection Seminar provides industry leaders and practitioners with insights on the opportunities and challenges of moving data across different sectors in a Smart Nation and Internet of Things (IoT) environment.

With “Bridging Innovation and Trust” as this year’s theme, panellists at the Seminar also discussed how initiatives such as Privacy Impact Assessment, Privacy by Design and Privacy Management Programme can help address the challenges of an increasingly complex data ecosystem.