PDPA Risk Assessment Explained
Apply Enterprise Risk Management in Personal Data Protection
Personal Data Protection has gain increasing emphasis on the enterprise risk management dashboards of several risk managers and practitioners.
Why is that so? Why is PDPA Risk Assessment important to companies?
One of the key reasons why personal data has been in the spotlight, is because there are more and more countries who have put in place laws and legislations with regards to personal data protection. The most landmark law being the GPDR (General Personal Data Regulations) — the data protection law that was passed by the European Commission in May 2018 that covers all countries in the European Union (EU) and the European Economic Area (EEA). Other countries like USA, France, Australia and even several in Asia (including Singapore) started to introduce guidelines and subsequently laws on Personal Data Protection. Malaysia and Singapore implemented the Personal Data Protection Act (PDPA) in 2010 and 2012 respectively. These two neighbouring countries just happen to use the same name for their data protection law.
Here at Comply PDPA Singapore, we provide advisory for PDPA. In fact, in time to come, even Thailand and Indonesia will soon have the same law too, and yes same name — PDPA!
The Increasing Need for PDPA Risk Assessment
Most corporations will have personal data in their possession and must protect them because of legal obligations as mentioned above. Whether it’s personal data of customers or internal stakeholders that might include employees, shareholders or beneficiaries, it has to be protected. The challenge in a large corporation to clear accountability of the protection of personal data. Which department implements, assesses and sustains the compliance?
To understand further as to where the challenge is, we need to understand a little about management of risks. In the traditional world of risk management, risks were typically managed in silos. In other words, risks were typically handled by functional groups in the organisations; very often the head of the department in-charge of that function like the Sales and Marketing, Human Resources, Finance, IT, etc.
In a corporation that applies traditional risk management, there may not be a single central control of data protection at manages it, but rather each department that has some form of personal data will have their own way of managing it. For instance, the Human Resource department that handles staff data will have their own process; the Sales and Marketing Team that does digital and onsite marketing and promotions will too have their own processes in collection, storage and using the data; then there is the IT department that is involved in both the HR and Marketing team because they both use the servers in the office. If not managed well, the management may not be able to get a grasp of the personal data inventory and thus not be able to manage potential risks.
In more recent and modern methods of risk management, risks are managed collectively in entirety as an organisation for strategic reasons rather than operational. The fundamental goal of Enterprise Risk Management (ERM) is to coordinate, integrate and provide a unified picture to stakeholders so that better strategic decision can be made. In relation to personal data protection, it seems that application of ERM will prove highly effective in organisations today because, an appointed Data Protection Officer or Team could be made responsible for creation of company-wide policies and processes. This will ensure consistency and clarity, not forgetting clear accountability of data protection. That is likely the reason why most legislations (including the GDPR applicable in EU, PDPA in Singapore and many others), appointment of a Data Protection Officer (DPO) is mandatory, and often the DPO has to be trained or least have a width of functional experiences.
In conclusion, compliance with personal data protection is not just task handled by casually appointing the next and most convenient person in the organisation to do so. It requires management to have an idea about Enterprise Risk Management and then consider data protection as one of the obligatory compliances that the organisation will need to look into, not only because it may be required in the country they operate but will likely be an important strategic trust of the organisation as well, if not now then certainly in the near future.