Breaches and Fines—Why Having a BPO Matters
The Singapore Personal Data Protection Commission (PDPC) defines data breach as an incident that exposes personal data that are in the possession of organisations (or under its control) to unauthorised access, use, disclosure, collection, modification, disposal, copying, or similar risks.
Data breaches can impact businesses and organisations negatively in many ways. It can result in regulatory exposure, business losses, lost investor confidence, and loss of customer trust. In individuals, data breaches can involve theft of social security / NRIC numbers, exposure of bank or credit account numbers as well as email, passwords, and health records.
Breaches and Fines
In Singapore, Champion Tutor, a home tuition agency was fined $10,000 for their failure to secure the personal data of 4,625 of their students. Unfortunately, it is the second time they were fined in a span of two years over data protection lapses. The company failed to fix a security flaw on their website.
The data security lapse has led to the leakage of personal information (names of students, addresses, and contact numbers) to the Dark Web. Stylez, another company was also fined $37, 500 for leaking the personal data of over 9,983 individuals. Stylez operated the service comparison and local quotation portal iCompare.sg.
The portal promoted different services like movers, home loans, and wedding photography. The leak involved the records of its interior design and renovation clients between 2009 and 2016. The client’s names, phone numbers, and e-mail addresses were compromised.
Data Protection Officer: Why Having One Matters
Nowadays, DPO courses abound. However, this is not exactly surprising. Under the PDPA, organisations are required to designate one person as the data protection officer or DPO. The DPO is tasked to ensure PDPA compliance and oversee the data protection responsibilities. The function can be added to an existing role or a dedicated responsibility.
The appointed DPO also has the option to delegate some responsibilities to other officers. Most DPOs also take a PDPA course to help ensure they are up to date and compliant with the latest rules.
Responsibilities of Data Protection Officers
DPOs have several roles and responsibilities. Some of the most notable include but are not limited to:
Ensuring PDPA compliance when creating and implementing processes and policies for handling personal data
Ensuring the creation of a data protection culture in the organisation and among employees and communicating personal data protection policies to stakeholders
Ensuring the management of personal data protection-related complaints and queries
Ensuring the organisation is alerted to any risks that can arise with regard to personal data
Liaising with the PDPC (if needed) on matters that are related to data protection
How to Support DPOs in Their Roles
Given the complex and varied responsibilities DPOs have, organisations and businesses can support them and help them fulfill their duties better by:
Giving them opportunities for professional learning through commission-run courses
Supporting their efforts by conducting risk assessments of present data management practices. This includes who has access to data, how it is stored, and how data is destroyed when no longer needed
Proactively protecting personal data through reliable cybersecurity solutions
Implementing data compliant tools that make use of defence-in-depth approaches to provide logical, physical, and data layers of security features and the best operational practices
Ultimately, protecting personal data will become an obligation every organisation and business must meet. The right digital solutions combined with the appointment of a competent, skilled, and diligent DPO can help ensure data gaps are identified, breaches are minimised, and the organisation stays compliant.