Mitigating Human Error in Personal Data Management – PDPA Compliance to Cut Bottom-Line Losses

As cliche as it may sound, but a famous quote from Thomas Carlyle once stated “The greatest mistake is to imagine that we never err”.

The Personal Data Protection Act (PDPA) exists as a statute to govern the collection, use and disclosure of personal data by organisations. However, with the trifecta of “failure points” which includes human negligence, poorly implemented processes, and disregard for the act, the inadvertent result happens.

Based on a recent study by the Data Protection Excellence (DPEX) Centre, there is an increase in number of cases involving the breach of the Personal Data Protection Act 2012 (PDPA). The most high-profile case was that involving SingHealth. Excluding the fine slapped on SingHealth, the amount of fines issued thus far in 2019 is S$280,000, which is double the amount in 2018. It was found that 80% of the breaches concerned the protection obligation.

Immanuel Lim Zheng Feng, Associate Director of Covenant Chambers LLC shares some insights into some of the measures organisations should take to remain compliant and resilient to breaches.

What is the ‘protection obligation’ and how can organisations fulfil it? 

The protection obligation is mandated by section 24 of the PDPA, which essentially requires an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

The most common breaches of the protection obligation arise from (in descending order): negligence or error of employee, lack of data protection policies, and failure to obtain consent.

The touchstone of the protection obligation under section 24 is the reasonableness of the security arrangements. There is no standard solution of organisations. However, breaches of the PDPA are preventable, including the most common ones listed above. Every organisation should consider at least the following arrangements (non-exhaustive):

  1. Improvise and organize its security arrangements to fit the nature and form of the personal data collected by the organisation.
  2. Select and train personnel who will be in charge of information security.
  3. Develop a data protection policy which addresses appropriate levels of security for personal data of different levels of sensitivity by:
    1. Conducting a personal data audit; and
    2. Arranging the structure and content of the policy.
  4. Ensuring that there is staff or personnel who can respond to personal data breaches swiftly and competently.
  5. Implementing a practice of obtaining consent from individuals through appropriate ‘positive actions’ for consent to the collection, use and disclosure of personal data.

Another possible scenario concerns the offering of goods or services to individuals in the European Union (EU) or the monitoring of their behaviour within the EU.

It is important to note that in such a scenario, the European Union General Data Protection Regulation (GDPR) will apply, even if the organisation is located outside of the EU. As the GDPR is different from the PDPA, compliance with the PDPA does not necessarily equate to compliance with the GDPR and vice versa.

What are the key requirements of the GDPR?

They include (non-exhaustive):

  1. Processing requirements (Article 6)
    1. Consent must be given by the individual for the processing for one or more specific purposes; or
    2. Processing must be necessary only for purpose(s) stipulated by the GDPR
  2. Rights of individuals to:
    1. Access
    2. Rectify
    3. Erase
    4. Restrict processing
    5. Data portability
    6. Object
    7. Not be subject to automated decision-making (including profiling)
  3. Accountability and governance (Articles 25, 35 and 37)
  4. Data breach notification (Articles 33 and 34)

Administrative fines up to 20 million EUR or 4% of worldwide annual turnover of preceding financial year, whichever is higher, may be imposed for infringement of GDPR provisions.

Please contact us (by clicking on the profiles of Ronald JJ Wong and/or Immanuel Lim Zheng Feng) for further details on training of employees on PDPA requirements, personal data audit, drafting of data protection policies, and sector or industry-specific advice and strategies.