In this panel discussion moderated by by our Regional Head, Quan Heng Lim, our panel of industry experts ranging from government regulator, SME association to cybersecurity and information privacy specialists discussed their perspectives on maintaining data privacy in today’s digital world.
The session started off with Nevin Sim, GRC Consultant at Privasec, sharing about the attitudes and perceptions towards data privacy in Asia. Previously, data privacy was not given as much priority as other core processes within a business, but there has been a gradual shift and more organisations are trying to uplift their data protection practices. This is also driven by increasing user expectations for companies to manage and safeguard data appropriately.
Next, Dominic Ng, Data Protection Certifications Manager at IMDA, also shared that with digitalisation and the increase in the collection and use of personal data, come the awakening from the agency on the importance of data protection. He also encouraged Small and Medium Enterprises (SMEs) and businesses to attain data certifications, and elaborated that Singapore’s data protection certification is backed by IMDA, which gives it a reputational boost.
Dominic also emphasized the importance of appointing a Data Privacy Officer (DPO). Although a director or decision-maker in the company would make a good candidate, the appointee does not need to be a certified or experienced person, with relevant certifications like CIPP/A etc. It is possible to appoint someone that your organisation deems to be suitable to do the job.
Lastly, Yuit Ang, Vice President of Strategies, Development and Digitalisation at ASME, also shared the perspectives of SMEs, regarding the challenges they face in adopting data protection measures. Generally, the main challenge would be the lack of resources, in terms of commitment of time, money and effort, where business owners tend to put their focus on business-generating / revenue generating activities.
To encourage the adoption of data protection measures, Yuit suggested presenting and simplifying such data protection measures and certifications in the perspective of SMEs, with basic steps and different levels catered to organisations of different maturity levels. In addition, he also suggested that regulators can look to educate business owners about the benefits of data protection, where it can help the business gain more revenue, access more customers and new potential markets, which could also pique the interest of more SMEs to take further action in having their privacy standards elevated.
Data Privacy is an essential component in this digitalised world, where organisations need to start to prioritize data privacy, and not take it for granted. Even if your core processes do not involve personal data, regulations like PDPA is going to be mandatory for all and important in demonstrating your organisation’s accountability.
Having good Data Protection measures and certification would benefit organisations in many ways, including increasing its competitive advantage and providing assurance to external parties (suppliers, partners, potential business, regulators). It also provides regulatory relief, where having a Data Protection Trustmark can be a strong mitigating factor in the event of data breach.
As mentioned in the session, there are many available courses, grants and fundings from Enterprise Singapore and IMDA, PDPC that organisations can tap on. Data Privacy is the responsibility of everyone, where it is important to continuously raise awareness among SMEs and businesses to build the organisation’s security culture and enforce adequate data protection practices.
Lastly, we would like to thank all our esteemed speakers and participants for taking their time off to join us for this session and we look forward to seeing everyone in our next event!
Data Protection Trustmark (DPTM)
The DPTM is a domestic certification of Singapore launch in 2019, that is designed based on PDPA as well as elements from international benchmarks and best practices, including data protection laws in Australia, Hong Kong, EU GDPR etcetera. It is designed for organizations to use it as a visible badge that they have accountable and responsible for data protection practices.
APEC Data Cross Border Privacy Rules (CBPR)
The CBPR is designed for data controllers, where you are a Data Controller if your organisation is responsible for the handling and collection of personal data.
Privacy Recognition for Processor (PRP)
The Privacy Recognition for Processes (PRP) certification system is designed for data intermediaries, also commonly known as data processors, in General Data Protection Regulations (GDPR)
Firstly, for DPTM, it is a domestic certification that aligns with Singapore PDPA, which would allow certified organisation to demonstrate their compliance with PDPA. This would mean that the trustmark can be used as proof of compliance for vendor, partners, and customers in Singapore. This is as compared to CBPR and PRP that is aligned to APEC Privacy Framework.
The DPTM is an enterprise-wide certification, where the assessor would look at the entire organisation’s data protection policies, processes, and practices, unlike other certifications that looks at a specific scope. The assessor would look at all the processes involved in the collection, use and the disclosure of personal data and storage of personal data.
For CBPR and PRP, there is a specific scoping.
If an organization goes for CBPR, they will need to highlight and identify the specific data that has been used for cross border transfer, which will need to undergo the CBPR assessment.
A common example of personal data identified that has been used for cross border transfer will be customer’s data. Taking this example, as Singapore company sends data to another entity overseas, the certification scope and assessment will include the customers data, policies, systems surrounding the transfer of that personal data.
2. Validity of Certification
Data Protection Trustmark has a three-year validity, with no annual audit requirements, subscriptions or membership fee involved.
For CBPR and PRP, it has a one-year validity,
3. Applicability of Certification
Lastly, Data Protection Trustmark is a certification based on the unique legal entity, based on UEN. This would mean that subsidiaries would have to each go for individual certification.
However, for APEC CBPR and PRP, subsidiaries or affiliates can be included in the certification. For example, if you are in Singapore and the company is the regional HQ with subsidiaries in Malaysia and Indonesia, these subsidiaries can be involved in this certification assessment, and if the application of certification is successful in Singapore, these subsidiaries will also be awarded the APEC CBPR or PRP.
As highlight by Yuit, the cost of DPTM would be a sizable initiative for a typical SME.
There are two fees involved for Trustmark certification, this is similar to the CBPR, where we have intentionally aligned them to be similar.
Firstly, an application fee of $535 is payable to IMDA. This is you can claim this is something that you can come at the engineer so I must highlight versa it’s not a small amount of knowledge for SMEs right I will have to acknowledge that okay.
The second fee will be the assessment fee, which depends on factors of assessment body of choice, where they may offer different pricing. The second factor would be the size of the organisation, based on annual revenue, in terms of staff strain and the amount of personal data held by the organisation.
According to Dominic, the typical SME on average, what we have seen is the assessment fee ranging between five to six thousand.
There can be another component, which is the consultancy, which the Enterprise Development Grant (EDG) will cover the assessment fee. Although it is not mandatory to go for consultancy, it is advisable for organisations that are not sure to seek consultancy help, where it is also covered by the grant.
Depending on the organisation’s readiness, the consultancy fee would vary, where the consultants would require more efforts and man-days if you’re not ready, which would increase the costs.
For organisations that are starting from the basics, there might be a lot to work on from a security baseline point of view. In some cases, things like data mapping might be particularly challenging, taking the example of technology company dealing with large amount of analytics. The cost would vary depending on the company’s level of maturity.
[Dominic Ng, IMDA]
By law, the appointment of a data protection officer is mandatory.
The person does not need to be a certified or experienced person, with certifications like CIPP/A etc. It would just need to be someone that the organisation deems to be suitable to do the job. For a lot of companies, especially SMEs, the director tends to be the DPO. This might have some advantage, as the director is the decision-maker, the decision can be made in the event of a breach.
If your organisation has not appointed a DPO today, please appoint one, as it is a critical problem if your organisation gets in trouble.
In the New Act Amendment, directors are only liable if there’s criminal intent.
The DPO would not be singled out as a scapegoat, in the event of data breach, where it would still be an organisation-wide investigation. However, the DPO, or whoever that leaks the data with criminal intent will be liable. This allows for SMEs to have more freedom in assessing their data privacy obligations for their business, and not be discouraged to use the data they have collected for legitimate business activities.
[Nevin Sim, Privasec]
The function of the DPO can be outsourced, however, a note to all would be that the responsibility will still lie back on the management and the organization, in the event of a breach.
For many businesses like SMEs that might have limited resources, they can explore the option of outsourcing the function of a data privacy specialist. This option can be useful up until they have developed adequate in-house capability after accruing the expertise, competence and knowledge transfer between vendors and themselves.
On the issues of grants, the Enterprise Development Grant supports all organisation which does not have to be SMEs, where it would support any organisation as long as eligible. However, if your organisation is an SME, the support content is higher. For the eligibility criteria, you would need at least 30% local shareholding, and your organisation must be in a financially capable position to complete the project.
To that mentioned, 31st March 2022, would be the deadline for the 80% quantum, where afterwards it will revert to its original 70% cap.
2. Support/Assistance (Policies/Templates)
In terms of developing the policies, the regulators understand the challenges faced by SMEs, where majority of Singapore businesses are SMEs and that they would need help in terms of levelling up their data protection capabilities.
PDPC has developed policies and templates for use that are free of charge. There are also available guides and resources on the PDPC website that SMEs can refer to, which includes templates on how organisations can address things like retention disposal or how to respond in the event of data breach.
Although, there may be a lot of legal jargon, but the regulators are trying and improving the guides to making it more readable. Organisations might take some time and effort to go through these resources, but it is important for organisations including SMEs to not be overwhelmed and take the first step to start their data protection journey.