1 / 4

A Complete Guide to PDPA Compliance for SMEs

Key information regarding the Personal Data Protection Act (PDPA) and presents a comprehensive action plan for ensuring compliance. The recommendations are tailored for Small and Medium Enterprises (SMEs).

Jamson
Download Presentation

A Complete Guide to PDPA Compliance for SMEs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. News & Insights About Join Us Capacity Capability Credibility Careers Contact Helpdesk Support Talk to an Expert Home » A Complete Guide to PDPA Compliance for SMEs A Complete Guide to PDPA Compliance for SMEs Latest Updates  View All How to Maximise Your IT Budget in 2024: A Guide for Singapore Businesses Published On: September 18, 2024  September 17, 2024 Share: How IT Managed Services Can Help Businesses Reduce Downtime and Enhance Productivity?       September 6, 2024 Why Enterprise Backup and Recovery is a Lifesaver for Your Business  September 2, 2024 This article outlines key information regarding the Personal Data Protection Act (PDPA) and presents a comprehensive action plan for ensuring compliance. The recommendations are tailored for Small and Medium Enterprises (SMEs). 1. What is the mandatory requirement by PDPC? All companies registered in Singapore are required to appoint a Data Protection Of?cer (DPO) and ensure that their business contact information is publicly accessible by 30 September 2024. 2. How do I update the DPO contact via Biz?le + (ACRA)? To update your DPO contact, please use Microsoft Edge or Google Chrome, as Mozilla Firefox is not fully compatible with the above mentioned websites. For organisations registered with ACRA, please register/ update your DPO info via https://www.biz?le.gov.sg On the top menu, go to eServices > Others > Register/ Update Data Protection Of?cer(s).

  2. Please note that the right Corppass access is required to update DPO information. Follow the steps on the website to register. 3. Are there any quali?cation requirements for a DPO? The appointed Data Protection Of?cer (DPO) should be a senior member of the organisation. In many Small and Medium Enterprises (SMEs), I.T. or H.R. managers are often assigned this role, as they are typically responsible for handling and processing personal data. Given the signi?cant responsibilities of a DPO, we recommend that the appointed individual be well versed in PDPA regulations and pro?cient in data protection policies, as well as fundamental cybersecurity controls. I have personally attended the PDPA course conducted by Singapore Management University (SMU) and highly recommend it for all appointed DPOs. The three-day course, led by Celine Chew, was insightful and professionally delivered. Her expertise made the course highly valuable, and the seminar environment was both conducive and comfortable for learning. We recommend that you attend and take the certi?cation exam to ensure formal recognition as a certi?ed DPO. For more information, please access the website link here. 4. What must a DPO do? 1. Conduct a Data Inventory 2. Implement Security Measures 3. Setup I.T. Policies 4. Conduct Staff Training 5. Handle cyber incident and report to PDPC This process is not a one-time effort but rather a continuous cycle. Regular reviews and updates of the data inventory, security measures, I.T. policies, and staff training are essential to adapting to new threats, regulatory changes, and technological advancements. Step 1 – Data Inventory To protect personal data effectively, the ?rst step is to conduct a comprehensive inventory of all personal data within the organisation. This data may exist in various forms, including physical (hard copy), digital (soft copy), databases, and backups. It could be stored in different locations, such as on-premises servers, cloud-based platforms, or with third-party hosting providers and/or data shared with external data intermediaries. Step 2 – Implement Security Measures PDPC recommends the following technical measures as shown below. Based on our professional experience, we consider measures 1 through 7 to be critical and essential for ensuring compliance with the Personal Data Protection Act (PDPA). These measures should be prioritised in your data protection strategy.

  3. Step 3 – Setup I.T. Policies IT policies must be established, formally endorsed and approved by management, and communicated clearly to all staff members for effective implementation. 5 Essential IT Policies are, 3a – IT Security Policy An IT Security Policy outlines the rules and procedures governing the access and use of an organisation’s IT assets and resources by all individuals. 3b – Acceptable use policy An Acceptable Use Policy (AUP) stipulates the constraints and practices that users must adhere to when accessing the corporate network or the internet. For example: Corporate email accounts must be used strictly for business purposes. Downloading movies or engaging in other non-business activities using the of?ce internet is strictly prohibited. 3c – Data Protection Policy A Data Protection Policy outlines the organisation’s commitment to protecting personal data and procedures for how personal data is collected, stored, and used in compliance with PDPA. 3d– Remote Access Policy The Remote Access Policy speci?es the acceptable methods for remotely connecting to the organisation’s internal network. 3e – Incident Response Policy This policy de?nes the roles, responsibilities, and procedures for responding to security incidents swiftly and effectively. Step 4 – Conduct Staff training on Cybersecurity and data protection 1. Regularly share news on the latest scams and cyberattacks to all staff 2. Conduct e-learning programs, quizzes and interactive games focused on data protection 3. Launch phishing simulation campaigns to enhance staff awareness and vigilance regarding cybersecurity. 5. What actions should a DPO take in the event of a cyber-attack or data breach? 1. For personal data loss of 500 or more, you are required to report to PDPC. 2. For ?nancial loss and criminal activity, you are required to report to the police and relevant ?nancial institutions. 3. For advanced persistent threats (APTs) or national security threats, do not hesitate to contact the Cyber Security Agency (CSA) for assistance. Here is the list of useful links: https://www.police.gov.sg/Advisories/Crime/Cybercrime/Ransomware https://go.gov.sg/singcert-incident-reporting-form https://eservice.pdpc.gov.sg/case/db https://www.csa.gov.sg/reporting Notify the client or supplier involved If your organisation experiences an attack, notify your customers, clients, suppliers, as well as staff and employees, so they can take appropriate measures to protect themselves. Your legal team or service provider may assist in facilitating the noti?cation process. Reporting to Authorities Organisations may need to assume that data could have been ex?ltrated if the threat actor successfully accessed your infrastructure or systems.

  4. DPO must report to the police if criminal activity (e.g., hacking, theft, or unauthorized system access by an employee) is suspected and to preserve evidence for investigation. Organisations should assume that data may have been ex?ltrated if a threat actor has successfully accessed your infrastructure or systems. The Data Protection Of?cer (DPO) must report any suspected criminal activity, such as hacking, theft, or unauthorized access by an employee, to the police. It is also crucial to preserve all relevant evidence for subsequent investigation. Lim Jamson is the author of the article. Jamson is a technopreneur with a strong passion for cloud computing and cybersecurity. He holds a master’s degree in computing from the National University of Singapore (NUS). Additionally, he is a Certi?ed Ethical Hacker and a Practitioner in Personal Data Protection. DPO as a Service. If your company plans to outsource the DPO appointment, Entrust Network offers DPO as a Service, from consultation to implementation and ongoing support, Our DPO service ensures your data management practices are secure and aligned with legal standards. Select the plan that ?ts your requirements and protect your data with con?dence. View Our Pricing Entrust Network has been supporting SMEs since 2006. Let us become a part of your team. Contact Us WHO WE ARE OUR SOLUTIONS CREDIBILITY Recognised as one of the most trusted IT Company in Singapore, we have helped businesses in various industries to plan, integrate, manage and maintain their IT infrastructure. Corporate Pro?le IT Helpdesk Service Clientele Why Entrust IT Managed Service Partners & Suppliers News & Insights IT Service for NGOs Certi?cations Careers Microsoft 365 Contact Enterprise Wireless / Network Enterprise Backup & Recovery Next-Gen Firewall (NGFW) Endpoint Security & Control SIEM / Network Monitoring DPO as a Service Cyber Security Services Privacy Notice Copyright © 2006-2024 Entrust Network Services Pte Ltd. All rights reserved. Designed by SBWD

More Related