Data privacy and protection (DPP) laws are not exactly new to the compliance and security landscape. However, the General Data Protection Regulation (GDPR) is encouraging organisations to have a more formal approach to DPP.
In Singapore, they have the Personal Data Protection Act (PDPA). The PDPA gives a baseline standard of personal data protection in Singapore. The PDPA also works by regulating the flow of personal data among organisations.
If your organisation want to start your data protection journey, the following steps should get your efforts off to a superb start:
Identify DPP Leadership
Start with leads, sponsors, and champions—who will be leading the initial project to establish the data protection program. Will those people continue leading the programme once it has been established?
Who will be the subject matter experts? Ensure they are involved from the very beginning. Depending on the complexity and size of the organisation, this can include roles from privacy, compliance, legal, security, senior management, and project management.
For an organisation that is new to privacy compliance and data protection, internal knowledge building is necessary. In line with this, connecting with privacy professionals for guidance can help. Start by:
- Joining International Association of Privacy Professionals (IAPP)
- Joining the Data Protection Excellence Network (DPEX Network)
- Joining data privacy groups on LinkedIn
- Listening to data privacy webinars
Determine Your Goals
What are the goals of your data protection programme? If the end results can be defined early, it can help everyone stay focused on moving in the right direction. Having a data protection programme can also provide clarity so the organisation can determine the team’s authority, responsibilities, governance structure, and overall scope.
Assemble the Team
Data lives in every corner of your organisation. That said, consider including those with knowledge of data in your organisation. You need to also include both non-technical and technical individuals. Since their jobs are different in nature, they also have different perspectives of data.
As the team is assembled, it is essential to explain clearly the time commitments so those with the appropriate bandwidth can get involved. It is also a good idea to record presentations that set the context for the project so you won’t have to reiterate the scope of the project and the goals in case a team member opts out.
Most privacy-related analytical work and development are typically added on top of the existing workloads throughout finance, HR, technology, and so forth, getting buy-in from stakeholders will require persuasion, diplomacy, and mutual respect. Without this, it would be difficult for the project to get the prioritisation it requires.
Fortunately the key people can serve as your privacy champions and can help advance privacy efforts such as:
- Development of portability, erasure, and other Data Subject Right procedures
- Creating destruction and retention procedures
- Looping the organisation into new processes where they can embed privacy by default and design
Find the Data
“You can’t protect what you can’t see” is a popular cybersecurity adage. That said, the importance of finding where data lives within the organisation cannot be overstated. This can also involve assembling individuals that are familiar with the data flow and processes from various parts of the organisation.
Performing data mapping and data inventories in one-on-sessions with important stakeholders is also recommended, if possible. This can provide significant benefits such as greater buy-in, better rapport, and more effective collaboration.
Refine and Reiterate
Is it possible for an organisation to be 100% compliant? This is an important question especially since the data protection landscape is ever evolving. In GDPR, new technologies and new processes will require new Privacy Impact Assessments (PIA), new data inventories, and new Article 30 records.
In addition, as the processes are audited, it is likely that you will find room for improvement, gaps, and several ways to make the processes more efficient.