In this article, we will summarize the Personal Data Protection Commission or the PDPC guidelines’ provisions on Accountability. This part of the PDPC guidelines focuses on accountability in terms of managing personal data. These provisions were first presented to the public last July 15 by Mr. Tan Kiat How at the International Association of Privacy Professionals or IAPP conference.
Without further ado, here are the things you should know about the PDPD guidelines on accountability in managing and handling personal data. This is to aid companies and organizations to better their existing data protection services or help them create new ones in place.
Accountability Guide Objectives
First and foremost, let’s discuss why this guide on accountability is very important.
- It explains the principle of accountability in terms of protecting personal data and how it was implemented specifically in Singapore.
- The guide can also help companies and organizations put accountability-based measures, rules, and processes in place.
- The accountability guide is part of the PDPC’s efforts to highlight accountability in personal data protection on top of compliance.
- The PDPC guidelines on accountability require companies and organizations to ensure compliance and demonstrate measures that they are indeed doing so. This includes employing a data protection officer and come up with internal and external data protection policies.
Accountability Guide Measures
The PDPC guidelines on accountability are made of measures that must be implemented by companies and organizations that handle and manage personal data. These said measures are the following:
First and foremost, there’s policy. When it comes to putting company policies in place, it is important to keep in mind that accountability measures should include embedding personal data protection to corporate governance. This can be done by involving company officials from senior management. Another way is to develop and communicate personal data protection policies clearly to both internally and externally.
Another measure is focusing on the people aspect of implementing the guidelines. Companies and organizations must make sure to instill the concept that responsible personal data protection must be practiced by each and every employee.
Moreover, it is also very important to ensure that every employee with the direct job function of managing personal data is aware and complies with the data protection policies and processes set in place in the workplace. This goes without saying that these employees must also under vigorous training that is specific to their areas of function.
Simply put, data protection must be encouraged to be part of the company’s culture.
Last but not the least, operationalizing data protection policies is a must. This must be done throughout the life cycle of the personal data being handled by the company and the organization. Plus, it should be implemented across processes, systems, services, and products.
In addition to this, these measures and processes should undergo thorough and regular review to meet the changing needs of the businesses and improved with regulatory and technological developments.
This part of the provision is one of the key concepts of the PDPC guidelines on accountability because it highlights the importance of keeping these rules and regulations reviewed and updated.
Personal Data Protection Act Updates
PDPC has also updated its Advisory Guidelines on Key Concepts in the Personal Data Protection Act (PDPA) to provide clarification on the relevant PDPA obligations and measures for accountability in personal data protection. This reflects the developments in data protection and supports the shift towards accountability in a Digital Economy.
Organizations may find it useful to refer to accountability tools that PDPC has introduced, such as the Guide to Data Protection Impact Assessment (DPIA), the Guide to Data Protection by Design for ICT Systems and the Guide to Managing Data Breaches 2.0.