Accountability in Data Protection

Since the Personal Data Protection Act (PDPA) 2012 has moved its emphasis from the 10 Obligations to organisations’ accountability in 2021, organisations that have yet to have a data protection management programme in place may not have considered how accountability is linked to self-governance on data protection compliance. Accountability is a fundamental principle of the PDPA, where organisations must take responsibility for the personal data under their care, through a structured approach:

1. Ensure staff’s practices are in compliance with organisation’s policies and procedures for data protection and PDPA compliance,


2. Ensure organisation’s PDPA compliance measures are available to customers who entrusted with their personal data,


3. Ensure organisation is able to cooperate with regulatory authorities on complaints, investigation and data breaches.

What does it mean to organisations that have yet to set up a data protection management system (DPMS)?

While the Personal Data Protection Commission has advocated organisations to have a data protection management programme in place, my view is a system rather than a programme would be more valuable to organisations. Systems require organisations to monitor their effectiveness, enable scalability and ensure sustainability. It is not meaningful for organisations to implement a programme or a system if they are not able to dedicate resources to protect their customers’ personal data.

1. Ensure staff’s practices are in compliance with organisation’s policies and procedures for data protection and PDPA compliance

One school of thought that organisations’ documentation of implemented policies and procedures demonstrate their data protection efforts. Documentation requires sustained efforts; if this fundamental is not in place, it is uncertain how the organisations have proper measures in place to protect personal data. However, it is not uncommon for companies not to have such documentation in place. This may arise from the company’s standpoint that it is not a significant business risk based on the PDPA penalties and the (low) likelihood of data breach being revealed publicly. After all, the regulator’s investigation streamed from customer’s complaint or if a data breach was made known. PDPA compliance would not be taken seriously by companies that fulfil statutory requirements on paper, i.e., appoint a data protection officer (DPO), and put up a data protection statement in their website. When customers read the statement that is titled as policy, it functions more as a statement as how the company’s policy would be implemented and enforced are not revealed. The appointed DPO may not have received company’s support to be proficient in PDPA compliance, let alone data protection for company’s clients.

Policies and procedures are a means to an end, as the focus is to ensure employees’ behaviours and practices are in compliance with organisation’s directions on data protection. This sets organisations that are committed to ensure data protection apart from those that prefer ‘paper’ compliance.

There are various means to ensure compliant practices, one common way is to have mandatory regular training for all employees in the organisation, not limiting to selected few. While not all staff may handle personal data in their areas of work, it is important to build an organisational culture where everyone understands the importance of data protection and how they can play their part. The management is ultimately accountable for the company’s data protection, not the DPO. It is evident that when management does not support data protection, cracks can be seen in daily operational practices. It just takes one mistake to cause a data breach.

2. Ensure organisation’s PDPA compliance measures are available to customers who entrusted with their personal data

In addition to their commitment on data protection in their policies, organisations have to be open on their compliance measures to customers who have the right to ask. Compliance measures are not restricted to customers only as it should cover empolyees’ personal data as well. The measures would generally include,

• The organisation’s approach to protect personal data including not to over retain personal data,
• Its promise to notify affected individuals promptly on data breach so that the individuals can minimise potential harm arising from the data leak; and,
• Implemented policies are relevant to the prevailing laws, societal norms and stakeholders’ expectations, as a way to endear trust.

A thought leader shared the data breach notification in the General Data Protection Regulation underlines a principle where customers and the public would hold controllers (or organisations in PDPA) accountable to make things right after a data breach. This is more effective than regulator’s penalty alone. The same can be said for PDPA’S Mandatory Data Breach Notification Obligation (MDBNO) and how organisations should be transparent in disclosing their breaches to affected individuals, even if the impact is lower than stipulated criteria of MDBNO.

Savvy consumers should be aware that there is a trade-off between convenience and security when it comes to the use of personal data. Also, if it sounds too good to be true, it is likely is. When individuals pay a low fee for a service or product, individuals have to be clear on their risk appetite in disclosing personal data, contact details and financial information to third parties – given that proper security requires resources.

3. Ensure organisation is able to cooperate with regulatory authorities on complaints, investigation and data breaches

If organisations are motivated to avoid the financial penalties for PDPA infringement, they would want to cooperate with the authorities on complaints, investigation and data breaches as a baseline requirement. However, organisations that have yet to grasp the accountability principle would be challenged to fully support the authorities with proper documentation and relevant evidence on their data protection measures. Organisations that value their reputation seriously, would tend to monitor complaints received on possible PDPA infringement or privacy concerns. Having a process to manage complaints and feedback while ensuring confidentiality requires due care and consideration by the management. It would not be appropriate to use the same customer feedback channel for data breach incident management, if the incident would be investigated by the same staff who caused the breach. The timeline should be in accordance to the MDBNO, and to ensure proper records on management’s decision not to report the incident to PDPC and risk assessment on impact to affected individuals. The data breach report should be direct to management, thus there is expectation that the organisation’s DPO has direct access to the Chief Executive Officer or equivalent and there should not be a conflict of interest for DPO carrying out his or her job objectively.

The Personal Data Protection Commission (PDPC) advocates complaints to be resolved by the organisations, thus it is important for the latter to have a systematic complaint and incident management process for potential PDPA infringement. Complaints that are resolved timely with affected individuals should be made known to the PDPC voluntarily, for transparency and to avoid potential future dispute with affected individuals. My personal view is organisations that chose to admit their mistakes and rectify them timely, would be more committed to prevent infringements and breaches. Consumers who value their privacy and PDPA rights should be wary on organisations that misuse personal data on purpose or repetitively.

Accountability matters

As a good practice to strengthen its data protection competencies, the organisation could demonstrate accountability by establishing a structure for governance and risks assessments, by developing management policies and practices for the handling of personal data, and by establishing processes to operationalise the policies and practices. This is a compelling value proposition to customers, partners and employees. The most powerful persuasion for organisations to be accountable for data protection is when customers speak with their purchasing power. When customers paid for a product or service, they did not agree to sacrifice their privacy and be affected by possible impersonation or scams. Organisations that demonstrate accountability would go a much longer way in cementing their legacies and public trust.

Contributed by Yvonne Wong, Co-opted Committee Member, EXCO, Association of Information Security Professionals (AiSP)

Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG, and is a Fellow in Information Privacy with International Association of Privacy Professionals. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015. She is presently the Senior Manager in the Yishun Health Data Protection Office.