Data Privacy Consultancy
“I am worried about breaching the Personal Data Protection Act (“PDPA”), being fined and suffering reputational damage like many others have experienced.”
“What should I do if my customers now require me to showcase sound data privacy practices before they are willing to do business with me?”
“How do I focus on my business with limited manpower and yet comply with the PDPA?
The above are some challenges in respect to PDPA that we increasingly hear from organisations these days. If you have these concerns too, do reach out to our qualified data privacy consultants for a complimentary discussion on:
- how you can comply with the PDPA in an effective, yet simple and inexpensive way
- the relevant data protection certifications (e.g. Data Protection Trustmark (“DPTM”)) to boost your brand
- how we can assist you to obtain government grants for PDPA-related consultancy projects.
Why Choose Us?
Unlike others, our Data Privacy team comprises of experienced internal auditors and cybersecurity specialists, including Certified Internal Auditors and Certified Practitioner in Personal Data Protection. Our CQI-certified consultant can assist and has successfully assisted companies to apply for government grants for data protection certifications.
To comply well with PDPA, we see that it is more critical to identify and rectify process and controls gaps that could lead to non-compliance with PDPA, for instance excessive user access rights granted, lack of review and approval of documents, weak IT security, inadequate segregation of duties, just to name a few. This is what internal auditors and cybersecurity specialists can do. We are also trained to be highly responsive and provide practical and cost-effective recommendations to rectify those gaps noted. We believe that complying with PDPA and attaining certification requires more than merely appointing someone who can draft policies and filling up checklists.
Our Consultancy Package
Outsourced Data Protection Officer (“DPO”)
Formulation of Policies and Procedures relating to PDPA
Employee Training on PDPA
Monitoring of Compliance with PDPA
Outsourcing Risk Management
Premium (Grants Available)
Advisory for Data Protection Certifications
Gap Analysis and Process Audits on PDPA
Monitoring of Compliance with PDPA
Data Breach Management
Frequently Asked Questions About Data Privacy in Singapore
Under the Personal Data Protection Act (“PDPA”), organisations are required to designate at least one individual as the data protection officer (“DPO”) to oversee data protection responsibilities and ensure compliance with the PDPA. The DPO function may be a dedicated responsibility or added to an existing role in the organisation. The appointed DPO may also delegate certain responsibilities to other officers.
Organisations with manpower constraints may outsource operational aspects of the DPO function to a service provider. However, the overall DPO function remains the management's responsibility.
Organisations may be subject to an investigation by the Personal Data Protection Commission (“PDPC”) which can be a lengthy (up to 18 months), costly and tedious process for the management.
The PDPC may impose a financial penalty of up to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. Organisations found to be in breach of PDPA may also be named in public, on the PDPC website (https://www.pdpc.gov.sg/commissions-decisions) and media.
Organisations should ensure that sound data protection practices are in place, including a qualified data protection officer, comprehensive data protection policies, employee training, third party vendor management and cybersecurity measures. These are the more common areas of lapses that are reported by the PDPC. Regularly (at least once a year), independent checks / audits should be carried out to validate that these practices remain robust and are followed by the respective parties handling the personal data of the organisation, including third party vendors.
Increasingly, organisations are requesting tenderers of projects or their vendors to demonstrate that they have established robust data protection practices before they are willing to transact with them. If you are a tenderer or vendor, the best way to demonstrate the necessary is to furnish a related certification such as the DPTM issued by a credible authority, in this case the Infocomm Media Development Authority (“IMDA”).
The cost of attaining data protection certification is dependable on the effort required by the consultant and assessor to implement and audit the necessary practices and documents respectively. The required effort is often determined by the number of organisations to be certified, nature and complexity of operations and personal data managed.
Qualified organisations can explore government grant under the Enterprise Development Grant which provides up to 70% of funding support for the certification cost, which covers the fees to consultant and assessor. One of the requirements to qualify for the grant is for the organisation to appoint a Consultant Quality Initiative (“CQI”) certified management consultant.
On average, the certification process may take between 6 months to a year. This is also dependent on the commitment of the management team to work with the consultant and assessor to implement the necessary.