PRIVATE organisations have had to comply with the Personal Data Protection Act (PDPA) since it came into effect in Singapore on July 2, 2014. The PDPA governs the collection, use and disclosure of personal data such as a customer's name, age and e-mail address that is collected in the course of delivering goods and services.
While most organisations know that violating the PDPA can result in severe punishment, many are unsure about compliance. This is where internal auditors can help, not just with advice on an overall framework for compliance but also through independent reviews.
Here are eight tips to creating a good compliance framework:
1 Appoint a data protection officer
Organisations have to appoint a data protection officer to ensure compliance. The data protection officer needs to be very familiar with the scope, requirements and expectations of the PDPA.
This knowledge has to be shared company-wide, as compliance with the PDPA involves everyone.
2 The weakest link
It only takes one employee to violate the PDPA to undo all the efforts by an organisation. As the saying goes: "You are only as strong as your weakest link". Employees have to be aware that any data misuse, such as selling customer data to marketing firms or downloading personal data before leaving a company, could result in severe consequences. Internal auditors can help organisations ensure that PDPA training is rolled out to all relevant staff.
3 Track all personal data
Next, organisations have to be aware of what they have in the way of personal data. Data can come in different forms, such as paper-based contracts, letters, purchase orders and invoices. Data could also have been stored electronically, such as in the accounting system or those residing in documents and applications.
An inventory should include personal data stored in shared folders, personal computers and mobile devices. Internal auditors can help organisations by checking that the data inventory is comprehensive.
4 Discard irrelevant data
After collating the inventory, organisations have to assess whether the appropriate data is being collected, as collecting excessive information will violate the PDPA. For example, a company responsible for delivering food may ask for the date of birth, marriage status, age or even details of family members of its customers, when it only needs a name, address, mobile number, details around payment methods and preferred time of delivery. In addition, organisations must disclose how the personal data collected will be used. In this regard, auditors could look at the types of personal data collected by organisations and provide an independent view of the data collection process. Internal auditors could also check if data is used as publicly disclosed.
5 Secure the data
Computer security is an essential aspect of protecting personal data. Hackers have become more sophisticated and reports of successful attacks are increasingly common. Internal auditors can help to check the robustness of installed security. The security should extend to personal data being transported electronically, such as through e-mail, or physical storage that is moved from destination to destination. Often overlooked is personal data that is sent to the printer for printing, as it remains in the printer memory after printing.
Internal auditors can review the IT infrastructure thoroughly to ascertain if an organisation's IT systems can withstand cyber-attacks.
Internal auditors can also help organisations to review the machine disposal procedures to ensure that data stored in printers and computers is completely removed before they are sent for recycling or disposal.
6 Managing archives
Retention policy is another area to review as the PDPA expects organisations to dispose of all personal data if there is no legitimate reason to keep them, such as details of job candidates who did not get the job. Internal auditors can review the policy and challenge the management if there is risk that personal data may be stored for excessive periods.
7 Data access privileges
Access to personal information should be granted to employees on a "need to know" basis. For example, while a credit officer needs personal information to assess customers' creditworthiness, a receptionist may not require such information and should not have access to it. Auditors can review the access matrix to ascertain if organisations are controlling information access appropriately.
8 Outsourced data counts, too
If companies outsource some of their non-core functions, such as the hosting of IT servers, mailing of customers' invoices or statements of account, auditors can also help to evaluate the service providers to determine if equally stringent and robust controls are enforced over the treatment of personal data.
The internal audit function can help to keep the entire organisation on its toes, not only for compliance but also for risk management and corporate governance.
Sometimes independent observers can spot potential gaps where others can see none. This is where internal auditors can add value, not just for PDPA compliance but also for continued company success.
The writer is governor of The Institute of Internal Auditors Singapore