GUIDE TO

DEVELOPING A
DATA PROTECTION
MANAGEMENT
PROGRAMME
CONTENTS

INTRODUCTION .................................................................................................... 4
What is a DPMP? ..................................................................................................... 5
Why Do You Need a DPMP? .................................................................................. 6

PART I: GOVERNANCE AND RISK ASSESSMENT ........................................... 7

Governance Structure and Values .......................................................................... 8
Risk Assessment ...................................................................................................... 11

PART II: POLICY AND PRACTICES ..................................................................... 14

Data Protection Policies and Practices .................................................................. 15
What Should Be in a Policy? .................................................................................. 15
Incorporate Good Data Protection Practices ........................................................ 19
Communicate Policies to Customers (E.g. Clients, Donors,
Other Organisations) .............................................................................................. 21

PART III: PROCESSES ............................................................................................ 22

Risk Identification and Mapping ............................................................................ 23
Risk Remediation and Controls .............................................................................. 25
Risk Monitoring and Reporting ............................................................................... 27

PART IV: MAINTENANCE .................................................................................... 29

Reviewing Data Protection Policies and Practices ................................................ 30
Frequency of Review ............................................................................................... 30
Establish an Audit Structure .................................................................................... 31
Keeping Data Protection Policies and Practices Relevant ..................................... 31

ANNEX A: ILLUSTRATION OF DPO IN AN ORGANISATION ....................... 34

ANNEX B: TRAINING AND COMMUNICATION INITIATIVES

IN A TYPICAL EMPLOYMENT JOURNEY ......................................................... 35

ANNEX C: DATA INVENTORY MAP AND DATA FLOW DIAGRAM .............. 38

4

INTRODUCTION
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 5

Accountability requires organisations to undertake measures to manage

and protect personal data in order to meet their obligations under the
Personal Data Protection Act ("PDPA"). This includes adapting legal
requirements into policies and practices, and utilising monitoring
mechanisms and controls to ensure that those policies and processes
are effectively implemented. It also includes building an organisational
culture of responsibility through training and awareness programmes.

This guide provides information on how organisations may demonstrate

accountability by implementing a Data Protection Management Programme
("DPMP"). Organisations may review and benchmark their existing
personal data protection policies and practices against the framework
and considerations provided in this guide1. Ultimately, organisations
should tailor their personal data protection policies and processes to
their organisational needs.

WHAT IS A DPMP?
The DPMP is a four-step programme to establish a robust data
protection infrastructure:

1
STEP 1:
GOVERNANCE AND
RISK ASSESSMENT
Establishing a governance
structure to define values and
STEP 4: MAINTENANCE identify risks with
Detailing steps to keep organisational leadership
data protection policy and
processes up to date

4 2

STEP 2:
POLICY AND PRACTICES
Developing a data
protection policy and
STEP 3: PROCESSES
3
data protection practices
Designing processes to
operationalise policy

1
Organisations should note that adopting the suggestions in this guide does not mean that it would be in compliance with
the PDPA. An organisation should consider whether the suggestions in this guide could be adapted for its specific circumstances.
6 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

WHY DO YOU NEED A DPMP?

Having an established DPMP helps an organisation to demonstrate
accountability in data protection. This provides confidence to stakeholders
and fosters higher-trust relationships with customers and business
partners for business competitiveness.

This guide will address the four-step process as follows:

Step 1 Step 2 Step 3 Step 4

Governance Policies and Processes Maintenance

and Risk Practices
Assessment
 7

PART I:
GOVERNANCE AND
RISK ASSESSMENT
8 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

GOVERNANCE STRUCTURE AND

VALUES
Role of Senior Management

To demonstrate commitment to personal data protection, the senior

management of an organisation should be responsible for the organisation’s
approach to handling personal data. The senior management provides
leadership through:

Defining the strategic corporate values and principles to

align data protection obligations and responsibilities within
the organisation;

Allocating resources (e.g. budget, manpower) to data protection;

Appointing and empowering the Data Protection Officer ("DPO");

Monitoring and managing personal data protection risks as

part of corporate governance (e.g. corporate risk management
framework), and where relevant, reporting to the board which
typically oversees risk governance;

Providing strategic guidance on the implementation of data

protection initiatives;

Approving the organisation’s data protection policies and DPMP;

Commissioning Data Protection Impact Assessments ("DPIA");

Advocating data protection training;

Providing direction to the DPO for handling of major complaints

and managing data breaches, including implementation of
remediation plans; and

Providing direction to the DPO for communication and liaison

with the Personal Data Protection Commission ("PDPC").
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 9

Role of the DPO

It is mandatory for organisations to designate at least one individual

to be the DPO, who is responsible for ensuring that the organisation
complies with the PDPA. Having an established DPMP would help the
DPO meet the following key responsibilities:

Driving the development and review of data protecton

policies and processes;

Ensuring compliance with the PDPA through data protection

policies and processes;

Fostering a personal data protection culture within the

organisation and communicating the organisation’s personal
data protection policies to stakeholders;

Identifying and alerting management to any risk that

might arise with regard to the personal data handled by
the organisation;

Handling access and correction requests to personal data;

Managing personal data protection-related queries and

complaints; and

Engaging with the PDPC on personal data protection

matters, if necessary.

DPOs are also strongly encouraged to use the DPO Competency

Framework and Training Roadmap2 to build core competencies and
achieve the proficiency levels set out for a DPO.

Oversight and Governance

Data protection is a topic that should have board and senior management
level oversight. An appropriate governance structure should be established
at both board and senior management levels. It is perfectly fine to
integrate data protection into existing governance structures within

2
Refer to the DPO Competency Framework and Training Roadmap.
10 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

the organisation, whenever this is possible. As a start, organisations

can refer to the Board Risk Committee Guide developed by the
Singapore Institute of Directors (SID) for more information on the board’s
role of overseeing and ensuring the adequacy and effectiveness of a
company’s risk management and internal controls within the context
of the business and regulatory environment in Singapore.

The DPO is a key management function within this oversight and

governance structure. Given the requirement for the DPO to effectively
lead data protection initiatives across the organisation, a DPO should
ideally be an appointment within the organisation’s senior management.
If the DPO is not appointed from the ranks of senior management, he/
she should have a direct line of reporting to senior management. The
responsibilities of the DPO can be taken on by one personnel or a
group of personnel. Some organisations may decide to outsource DPO
functions to, for example, a service provider or centralised corporate
functions with a group of companies. When outsourcing the DPO
function, the organisation should still ensure that a member of the
senior management remains responsible to oversee and work with the
outsourced DPO. Please refer to Annex A for an illustration on how a
DPO may sit within the structure of an organisation.

Culture of Accountability and Staff Training

A culture of accountability towards data protection in an organisation

is crucial. This includes awareness and alertness to data protection
issues among all staff, which is dependent on education and buy-in
from senior management.

It should be noted that personal data protection cuts across roles,

functions and hierarchy in the organisation; and should be recognised
and practised by all levels in the organisation (including volunteers,
agents and contract staff), rather than being limited to the appointed
data protection representatives.

In particular, staff that handle personal data (e.g. sales), or are responsible
for implementing personal data protection measures (e.g. IT), would
need to be diligent in adhering to the organisation’s data protection
policies and processes. It would thus be important for them to receive
and undergo more thorough data protection training.

In this regard, organisations should ensure that data protection awareness

and education are implemented top-down, from the Board of Directors
to management and staff. Organisations should also design their training
and briefings according to the roles and responsibilities or job functions
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 11

in the organisation, share personal data protection measures and embed

personal data protection-related topics into their staff training and
communication plan. Regular circulars may be used to generate
awareness and foster a culture of personal data protection. Staff should
constantly stay alert to risks and take proactive steps in response. This
could be backed by incentives and reward systems to encourage such
behaviour and promote awareness of management support. An overview
of possible training and communication initiatives, and the phases at
which they may be conducted throughout a typical employment journey,
is illustrated in Annex B.

RISK ASSESSMENT
Understanding Risks

The senior management of an organisation should have an understanding

of risks and review the risks on a regular basis to take into consideration
changes in business models, regulations, technology and other factors.
An organisation should also consider other risks arising from data
beyond personal data. An organisation may consider these four general
categories of risk:

Strategic: Risks affecting achievement of the strategic

objectives of the company (e.g. governance, strategic
planning, major initiatives). This may affect a company’s
ability to comply with the PDPA.

Operational: Risks affecting the operations of the

organisation (e.g. sales and marketing, supply chain). This
may be a factor in whether the company can comply with
the PDPA.

Compliance: Risks affecting the company’s compliance with

regulatory requirements (e.g. legal, code of conduct). This
would include compliance with the PDPA.

Financial: Risks affecting the financial processes of the

company (e.g. accounting and reporting, tax). This may
arise as a result of fines incurred from failing to comply
with the PDPA.
12 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Enterprise Risk Management

The Enterprise Risk Management ("ERM")3 is a process effected by the

organisation’s Board of Directors, management and staff. It is applied in
strategy setting and across the organisation, to identify potential events
that may affect the organisation, as well as manage risks. An ERM framework
helps to codify and integrate a holistic, structured and disciplined approach
to managing risks into the company’s core business processes and decision-
making. Organisations should ensure that data protection4 is incorporated
into their ERM framework to manage their risks.

Risk Identification and Assessment

An essential process for the identification and management of personal

data is the DPIA at the system or operational level. The DPIA would
enable organisations to:

Identify the personal data handled by the system or operational

process, as well as the reasons for collecting the personal data;

Identify how the personal data flows through the system

or operational process;

Identify data protection risks by analysing the personal data

handled and its data flows against PDPA requirements or data
protection best practices;

Address the identified risks by amending the system or

operational process design, or introduce new organisation
policies; and

Check to ensure that identified risks are adequately addressed

before the system or process is in effect or implemented.

3
Refer to Board Risk Committee Guide developed by the Singapore Institute of Directors for more information on the Enterprise
Risk Management framework.
4
Refer to Case Study 3B-5 in the Board Risk Committee Guide developed by the Singapore Institute of Directors on how
organisations can mitigate data protection risks.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 13

By conducting a DPIA, an organisation would be in a better position

to assess if the handling of personal data complies with the PDPA or
data protection best practices, and to implement appropriate policy,
technical or process measures. For more information on the DPIA,
please refer to the Guide to Data Protection Impact Assessments.

As part of a DPIA, it is recommended to establish a data inventory (see

Data Inventory Maps, Data Flow Diagrams and Other Registers on
page 23) and classify the risk level of the data in the context that it is
collected, used and disclosed throughout the data life cycle, from
creation, distribution, storage, to disposal. This may be mapped onto
a risk matrix for assessment and implementation of appropriate controls
for the identified risk levels.

Risk levels may be determined by considering the following three industry-

recognised parameters of impact in the event the data is compromised:

Confidentiality: Risk to organisation or individuals arising

from unauthorised or inappropriate disclosure. For
CONFIDENTIAL information to be confidential, the access to some
information needs to be restricted as it could harm the
interests of the stakeholders.

Integrity: Risk to information quality or corruption. For

information to be useful and serve the purpose, it must
be as accurate and complete as possible.

Availability: Risk of information not being available to

intended users. For information to be useful and serve its
purpose, it must be available when it is needed and in a
form that is accessible by the intended users.
14

PART II:
POLICY AND
PRACTICES
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 15

DATA PROTECTION POLICIES

AND PRACTICES
An organisation’s governance and risk management structure will shape
its data protection policies and practices. As part of its corporate
governance structure, the organisation should develop appropriate
data protection policy and practices, and communicate them to both
its internal stakeholders (e.g. staff) and external parties (e.g. vendors,
customers). This will provide clarity to internal stakeholders on the
responsibilities and processes related to handling personal data in their
day-to-day work. Policies also demonstrate accountability to external
parties by informing them of the value the organisation places on data
protection and how it will protect personal data in its care.

WHAT SHOULD BE IN A POLICY?

Organisations may consider some general questions in the following table
to develop their policies to suit their business or organisational needs.

Applicable to
Questions Internal External
Stakeholders Parties

General
a. What personal dataset does this policy apply to?
• •
b. What is the purpose of the policy?
c. How often is this policy reviewed? •
d. How is the policy aligned with my organisation’s values
and business code of conduct? • •
e. Is this policy transparent?
People
f. Who is the intended audience of the policy?
g. Who does the policy apply to? Are their roles and
responsibilities clear and comprehensive? • •
h. Who is the policy owner?
i. Who approves the policy?
16 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Applicable To
Question Internal External
Stakeholders Parties

Process
j. Whose personal data is handled?
k. What is the purpose of collecting the personal data?
l. What types of personal data are handled (e.g. name,
NRIC, birth date, health details)?
m. How are queries, feedback, disputes and requests handled?
n. Which third party organisations is the personal data
shared with, if any? • •
o. How does the organisation ensure that third party
organisations protect data in accordance with the
PDPA requirements?
p. How are the data protection and Do Not Call ("DNC")
provisions of the PDPA complied with throughout the
data life cycle?5
q. How is the personal data protected? •
r. How long should the personal data be kept and how
should it be disposed at the end of its life cycle?
s. How should data incidents6 and data breaches be handled, • •
including mandatory data breach notifications to the PDPC
and affected individuals?
t. When are DPIAs conducted, and on which systems or
for which processes? •
u. How should policy exceptions be handled?

Organisations should also consider having dedicated internal policies

on specific areas that require elaboration. The following example lists
some of the considerations when handling access requests:

5
This segment may be expanded to elaborate on how the organisation complies with the PDPA.
6
Data incidents refer to a potential, but unconfirmed, breach of the Protection Obligation under the PDPA.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 17

Example:

Organisation ABC wishes to establish an internal policy on handling access requests and
considers the following points when developing the policy:

Establishing and • How does ABC intend to receive all access requests7? (e.g. Is there
making access a standard access request form that the applicant may use? In the
request channels absence of any access request forms provided by the organisation,
available what information is required from the applicant for ABC to proceed
with the access request?)
• What are the available channels for the applicant to submit the
access request? (e.g. via email, post or any other avenue specified
by the organisation)

Obtaining • What specific information would ABC require to search for and
specific locate the requested personal data in a timely manner? (e.g.
information type of personal data requested, date and time the personal
data was collected)

Charging access • Would ABC be charging a fee8 to process the access request?
fees If so, are the fees provided in writing to the applicant9?
• If ABC intends to charge a fee for the access request that is
higher than originally estimated, how would ABC communicate
the higher fees in writing to the applicant?
• How would ABC compute the access fee10 in a way that
accurately reflects the time and effort required to respond to
the access request?

7
Under PDP Regulation 3(1), a request to an organisation must be made in writing and shall include sufficient detail to
enable the organisation, with a reasonable effort, to identify (a) the applicant making the request; (b) in relation to a
request under section 21(1) of the Act, the personal data and use and disclosure information requested by the applicant;
and (c) in relation to a request under section 22 of the Act, the correction requested by the applicant. (2) A request must
be sent to the organisation, (a) in accordance with section 48A of the Interpretation Act (Cap.1); (b) by sending it to the
organisation’s DPO in accordance with the business contact information provided under section 11(5) of the Act; or (c)
in such other manner as is acceptable to the organisation.
8
Under PDP Regulation 7(1) subject to section 28 of the Act, an organisation may charge an applicant who makes a
request to it under section 21(1) of the Act a reasonable fee for services provided to the applicant to enable the
organisation to respond to the applicant’s request. (2) An organisation must not charge a fee to respond to the applicant’s
request under section 21(1) of the Act unless the organisation has (a) provided the applicant with a written estimate of
the fee; and (b) if the organisation wishes to charge a fee that is higher than the written estimate provided under sub-
paragraph (a), notified the applicant in writing of the higher fee. Organisations may charge the individual a reasonable
fee to recover any incremental costs of responding to his access request. However, under the PDPA, on application of
a complainant, the Commission may review a fee required from the complainant by an organisation in relation to a
request by the complainant under section 21 or 22. Upon completion of the review, the Commission may confirm, reduce
or disallow a fee, or direct the organisation to make a refund to the complainant.
9
Organisations may refuse to provide access to the personal data requested until the individual agrees to pay the relevant fee.
10
The PDPA does not prescribe a standard fee or range of fees applicable to access request.
18 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Determining • How long would ABC take to provide access to the requested
response personal data11? How would the individual be informed if ABC
timeframe is unable to provide access within 30 days?

Ascertaining • What procedures are established by ABC to verify the identity of

identity the individual making the request? (e.g. proof of identity required
from the applicant, verification questions to be asked to establish
the identity of the requestor)
• What procedures are established by ABC to verify the identity
of an individual making an access request on behalf of another
individual? What forms of proof of identity are required?

Assessing • When processing an access request, ABC should also assess

exceptions and whether any prohibitions or exceptions may apply such that access
prohibitions to personal data may not be provided12.
• When the access request contains personal data of other
individuals, ABC should consider whether any prohibitions or
exceptions may apply to the access request and whether ABC
needs to redact the personal data of other individuals13.

Keeping records • What is ABC’s documentation process for recording all access
of access requests received and processed? Documentation may also
requests include all access requests received but not processed due to
an applicable exception14.
• What is ABC’s retention policy for keeping records of access
requests received?

These are some details that an organisation developing a specific policy should consider
and are not meant to be exhaustive. For more information on handling access requests,
please refer to the PDPC’s Advisory Guidelines on Key Concepts in the Personal Data
Protection Act (Chapter 15) and Guide to Handling Access Requests.

11
Organisations must provide access to the requested personal data as soon as reasonably possible.
12
Please refer to section 21 of the PDPA, Part II of the Personal Data Protection Regulations 2014 and Advisory Guidelines
on Key Concepts in the PDPA for more information on exceptions and prohibitions under the Access Obligation.
13
Organisations need not redact personal data of other individuals if the data is considered part of any user activity data
about, or any user-provided data from, the individual who made the request.
14
For more information, please refer to Chapter 15 of the Advisory Guidelines on Key Concepts in the PDPA.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 19

Policies should be approved by the management, communicated to

all relevant parties and reviewed regularly to ensure they remain relevant.
Organisations may also use the PDPC’s Data Protection Notice Generator
to generate basic data protection template notices to inform their
stakeholders on how they manage personal data.

INCORPORATE GOOD DATA

PROTECTION PRACTICES
A Data Protection by Design Approach

An effective data protection policy is one that can be operationalised

into business processes. One way to translate data protection policies
into business processes is by adopting a Data Protection by Design
("DPbD") approach, where organisations consider the protection of
personal data from the earliest possible design stage of any project,
and throughout the project’s operational life cycle. This can be as simple
as putting data protection considerations in the foreground of any
project development instead of as an afterthought.

Designing data protection from the start can help organisations to (a)
identify data protection issues early, (b) increase awareness of data protection
across the organisation and (c) meet the data protection obligations under
the PDPA. Organisations may wish to adapt the DPbD principles in the
PDPC’s Guide to Data Protection by Design for ICT Systems throughout
their project design, development and operational life cycle.
20 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Ensure Compliance with the PDPA

It is important for an organisation’s staff, as well as third party organisations

engaged to process personal data on its behalf, to know how the
organisation expects the personal data to be handled and protected.
In this regard, organisations may consider the following:

Key Activity Component Examples

State the Employment Contract • Update employment contract with
personal data clauses on responsibility to protect
protection personal data
clauses clearly in
the staff Employee Handbook •D
 etails may be contained in the
contract employee handbook, and updated
periodically
Set clear Data protection clauses in third party •U
 se standard contractual clauses in
requirements on agreements contracts and processing agreements
how vendors with third party organisations to ensure
should manage For more information, refer to the Guide protection for personal data
and dispose the to Managing Data Intermediaries under
• Use contractual clauses and retention
data the PDPA, Guide on Data Protection
schedules in contracts and processing
Clauses Relating to the Processing of
agreements with third party
Personal Data, and the Guide to Data
organisations to ensure proper disposal
Protection by Design for ICT Systems.
of personal data
•E
 stablish measures to verify the identity of
third party organisations that have access
to the organisation’s collected data
Data protection clauses for cross-border •E
 stablish cross-border personal data
personal data transfer contracts transfer contracts (e.g. transfer of
personal data within organisations
For more information, refer to the outside of Singapore or the parent
Guide on Data Protection Clauses for company) to ensure protection for
Agreements Relating to the Processing personal data
of Personal Data and the Guidance for
Use of ASEAN Model Contractual
Clauses for Cross-Border Data Flows.
Conduct regular Due diligence on third party • Conduct due diligence of the personal
review of organisations data protection and security policies,
contracts practices and processes of service
vendors/third party organisations (e.g.
conduct random spot checks, request
for an independent audit report)
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 21

COMMUNICATE POLICIES TO
CUSTOMERS (E.G. CLIENTS,
DONORS, OTHER ORGANISATIONS)
Customers’ trust is crucial and organisations should implement personal
data protection initiatives to demonstrate accountability. Organisations
should thus ensure that their data protection policies are communicated
clearly and upfront. Useful initiatives include:

Notification: Publish policies and other information in

simple language and place them in prominent locations
and/or other relevant channels (e.g. websites) that are
easily accessible by customers.

Consent: Ensure that customers understand what they

are consenting to along their user journey by providing
simple and clear consent clauses at appropriate touchpoints
through dynamic consent.

Policy updates: Manage ongoing customer relationships

with clear communication on any policy or service updates,
and keep such communications clearly separated from
marketing messages.

Staff’s interactions with customers: Ensure that the staff

assigned to interact with customers are trained in the
content knowledge and sensitivity required in handling
data protection feedback and queries.

Access and correction request handling: Provide easily

accessible channels and proper processes for handling
customers’ access and correction requests, which are
monitored to ensure prompt response.

Complaints handling: Ensure that there are proper

channels and processes for handling customer complaints
concerning personal data.

Such approaches may help to assure customers that your organisation

takes responsibility for the personal data under your care.
22

PART III:
PROCESSES
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 23

The organisation’s controls and processes should be designed to cater

to risks earlier identified in Risk Identification and Assessment on page
12. Having identified risks, the organisation should ensure that such risks
are minimised through the implementation of controls, and residual or
ad-hoc risks monitored.

Risk identification and mapping: Tools such as data flow

and consent registers can help to identify and map risks
relating to personal data and to design controls.

Risk remediation and controls: Risks that have been

identified should be remediated through the implementation
of systems-based or process controls.

Risk monitoring and reporting: Operational monitoring

systems should be designed to monitor occurrence of
residual risks or ad-hoc risks, and internal reporting processes
designed for escalation to management. Breach management
plans can help with breach monitoring and management.

Finally, periodic internal and external audits should be conducted to ensure

that all data protection risks are addressed amidst changing circumstances.

RISK IDENTIFICATION AND MAPPING

Data Inventory Maps, Data Flow Diagrams and Other Registers

Known risks should be managed through a good understanding of the

life cycle and flow of personal data in your organisation. This can be
done through documenting the personal data handled using diagrams
and charts such as data inventory maps or data flow diagrams, as
illustrated in Annex C.

The data inventory map and data flow diagram should also include
information on the business purposes for collection, use and disclosure
of personal data, the individuals and third parties who handle personal
data under the organisation’s possession or control, as well as the
classification of the data to manage user access. They should also deal
with when and how the organisation should dispose of or anonymise
the personal data for long-term archival. As good practice, it is important
that employees and third parties access personal data on a need-to-know
basis. Different sets of data may be accessed by different parties.
24 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Organisations may also wish to adopt a risk register following their

inventory mapping. The risk register should identify the risks associated
with the nature of the personal data and the context in which it is used.
This should be shaped by risks identified in Risk Identification and
Assessment on page 12. In addition, organisations should consider
existing whitelists of data, as determined internally and/or by relevant
regulations, which may be subject to more stringent regulation, as
highlighted in the Guide on Managing and Notifying Data Breaches
Under the PDPA, for instance.

As good practice, organisations should create a consent register to

record consent provided by individuals to the organisation for the
collection, use and disclosure of their personal data for a particular
purpose. This could be a document for the organisation to demonstrate
and verify that an individual has provided consent, and for the organisation
to have oversight of the consent provided, or withdrawn, by an individual.
As an organisation updates its consent clauses, the consent registry
can help to keep track of what is permitted for each version of the
consent clause and the version of the consent clause that each customer
has agreed to.

The tools described in this section will help with identification and management
of risks, and can be translated into controls. These tools may need to be
updated and reviewed periodically, and when conducting a DPIA.

Resources to Identify Risks and Gaps

PDPC provides many resources to support organisations in developing

their data protection practices. Organisations may refer to the following
tools as a start to identify and map their risks and gaps in data protection.

Tool Description

Data Protection The Data Protection Starter Kit Checklist allows

Starter Kit Checklist organisations to conduct self-assessment and identify data
protection gaps in the organisation.

Data Protection-as-a- The DPaaS@SMEs Programme (DPaaS@SMEs) makes it easier

Service for SMEs for SMEs to outsource data protection functions and supports
(DPaaS@SMEs) SMEs in strengthening their data protection capabilities.

Sample Personal The Personal Data Inventory Map helps organisations

Data Inventory manage the personal data under their control. It is easy to
Map Template develop, maintain and update, and does not require
high-level software and skills.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 25

Tool Description

Sample Consent The consent registry helps organisations to record consent

Registry Template provided by individuals to the organisation for the
collection, use and disclosure of their personal data for a
particular purpose.

Data Flow Illustration The Data Flow Illustration diagram helps organisations
visualise the flow of data within their organisation.

DPOinBox The DPOinBox supports organisations in the development

and implementation of their DPMP for areas such as
identifying risks, managing the programme, sustaining
initiatives and responding to incidents and requests.

Personal Data Asset The Docukit Data Protection App helps DPOs track how
Inventory Tool (Docukit personal data is being managed within their organisations,
Data Protection App) and therefore manage the data protection risks in a more
effective and productive manner.

OneTrust Software for The OneTrust Software for PDPA Compliance provides
PDPA Compliance organisations with tools to build their Data Inventory Map
(“DIM”) and conduct DPIA to better manage their
compliance with the PDPA.

RISK REMEDIATION AND CONTROLS

Put in Place System-based and Process Controls and Measures

Based on the risks and gaps identified above, organisations can then
put in place relevant system-based and process controls and measures
to address the risks and gaps. For example, the data inventory map,
data flow diagram and risk register help organisations to identify where
sensitive data is stored in the systems. This helps organisations to
determine the level of IT security protection to put in place and the
types of users/applications (internal and external) which can access
such systems and data. Appropriate process controls can also be
implemented to approve, review and manage the access rights of these
users and applications. From the consent register, organisations will
be able to identify the types of personal data that can be used for
different purposes and put in place relevant approval processes for the
use of these data.
26 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

When developing systems, organisations should consider and build

data protection measures into ICT systems that involve the processing
of personal data during the software development life cycle. By adopting
DPbD, appropriate controls to protect personal data would have been
embedded within the system which helps to reduce unnecessary delays
and contain costs, compared to having to retrofit data protection
features afterwards.

Controls adopted should correspond to the risk level and nature of the
data, and should include both digital and non-digital solutions (e.g.
encryption and access controls).

For more information, please refer to the the PDPC’s Guide to Data
Protection by Design for ICT Systems.

Include Processes for Managing Service Vendors

Organisations are required to communicate their personal data protection

requirements to their service vendors or data intermediaries clearly.
When handling personal data of the organisation, these data intermediaries
are responsible for adhering to the Protection, Retention Limitation
and Data Breach Notification Obligations under the PDPA. In this regard,
a binding contractual agreement that highlights the responsibilities
with regard to the processing of the personal data should be in place.
In addition, where data is transferred internationally, organisations
should ensure that such transfers are done in compliance with the PDPA
(e.g. by ensuring that the service vendor is certified under the APEC
Cross Border Privacy Rules ("CBPR") or Privacy Recognition for Processors
("PRP") systems). For more information on managing data intermediaries
in the context of personal data protection, refer to the PDPC’s Guide
to Managing Data Intermediaries.

PDPA Assessment Tool for Organisations ("PATO")

Organisations should also use the PATO as a self-assessment tool to

assess any residual gaps from their systems-based and process controls,
as well as monitor the implementation of these controls. Based on the
assessment report, organisations would be able to ascertain how internal
processes on handling personal data can be refined.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 27

RISK MONITORING AND REPORTING

Organisations should ensure that all risks, especially residual risks that
cannot be addressed by systems-based controls and processes, are
monitored through regular reporting to the committees within the
organisation’s governance structure and through operational monitoring
and reporting (e.g. management reports). The DPO should ensure that
there is regular monitoring of identified personal data protection risks,
reporting of data incidents and remediation to the relevant oversight
body at the board and senior management to get their support, direction
and feedback. Organisations may wish to develop reporting processes
and frequency (e.g. every quarter or annually) for various feedback
mechanisms from the working level to senior management. For instance:

Frequency Possible topics for discussion

Quarterly 1. C hanges to personal data protection policies and
practices made in the last quarter
2. Results and action plans/remedial measures after
completing the PATO or DPIA
3. Status of or updates to existing risks, risk ratings
and action plans/remedial measures
4. New risks, risk ratings and action plans/remedial
measures added in this reporting quarter
5. Personal data protection audit plans
6. Key personal data protection issues to note
Annually 1. Refreshed personal data protection risk profile for
the year
2. Summary of risk remediation plans

Organisations should be able to demonstrate that they have in place

accountable practices, such as monitoring and remediation plans.
Under the PDPC’s Active Enforcement Framework, this may allow the
organisation to qualify for an undertaking option in the case of a data
breach, allowing for a better outcome as opposed to a full investigation.
28 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

Establish a Process for Managing Data Breaches

Personal data breaches can occur due to various reasons such as

malicious activity, human error or computer system error. Organisations
should develop and implement a personal data breach management
process to address data breaches. The plan may include the following
set of activities:

C ontaining the breach

A ssessing the risk

R eporting the incident

E valuating the response and recovery to prevent future

breaches

The organisation’s DPO may also document data incidents and data
breaches in an incident record log. Refer to the end of this chapter for
an example of an incident record log. As good practice, organisations
should also actively engage their data intermediaries and delineate the
responsibilities of reporting, investigating and taking remedial actions.

Organisations must also notify the PDPC and affected individuals when
they have credible grounds to believe that a data breach has occurred.
They should conduct this assessment on whether it is a notifiable data
breach within 30 calendar days. The steps taken in assessing the data
breach should be documented to demonstrate that the organisation
has been reasonable and expeditious in doing so.

For more information, please refer to the Guide on Managing and Notifying
Data Breaches Under the PDPA and Guide on Active Enforcement.
 29

PART IV:
MAINTENANCE
30 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

REVIEWING DATA PROTECTION

POLICIES AND PRACTICES
Organisations are encouraged to routinely review their data protection
policies and practices to enable them to identify data protection gaps
and the appropriate remedies through effective oversight by the board
and senior management. In Singapore’s evolving digital economy, this
will provide the assurance that the organisation’s data protection practices
are kept updated with regulatory and technological developments and
that data protection risks are being managed effectively.

FREQUENCY OF REVIEW
Changes in environment may require revisions to data protection
policies and processes. Organisations would have to decide whether
the revisions should be applied immediately (ad-hoc) or during a
periodic review of the DPMP. The table shows examples of circumstances
that may prompt either immediate or periodic changes.

Immediate (Ad-hoc) Periodic

• Occurrence of major • Revision of data protection

incidents (e.g. leakage of policies and processes at
personal data to public due regular intervals, with a
to new technology) pre-specified time interval, to
• Legislative and regulatory ensure that policies and
amendments processes remain relevant
• Occurrence of organisational • Batch review of occurences
changes (e.g. re-structuring, of minor incidents (e.g.
mergers and acquisitions, accidental access to personal
process changes) data by unauthorised
employee)
• Revision of processes or
systems that have minimal
effect on data protection
(e.g. change in DPO’s
business contact information)

Organisations may also conduct a DPIA to help identify, assess and

address data protection risks associated with the new changes. Please
refer to the PDPC’s Guide to Data Protection Impact Assessments
for more information.
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 31

ESTABLISH AN AUDIT STRUCTURE

As part of corporate governance, organisations are encouraged to
establish an ERM framework with monitoring and reporting mechanisms
(i.e. regular risk reporting and internal audit) that addresses personal
data protection issues. Such a structure provides clarity on the direction
and manner in which an organisation manages personal data protection
risks, among others.

Audit

Organisations can conduct an audit to monitor and evaluate the

overall implementation of their data protection policies and
processes. This could be done by:

• Conducting an internal audit on a periodic basis

• Conducting an ad-hoc walk-through and inspection
• Engaging an external party (on a periodic basis or as required)
to evaluate implementation
• Obtaining and maintaining certifications for the organisation’s
data protection measures, such as the Data Protection Trustmark
("DPTM") Certification. For more information on the DPTM,
please visit IMDA’s website.

KEEPING DATA PROTECTION

POLICIES AND PRACTICES RELEVANT
Monitor External and Internal Environment

To ensure that data protection policies and practices remain relevant

and updated, organisations need to keep abreast of the changes and
developments within and outside the organisation. Some suggestions
on how to monitor the environment include:
32 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

External Environment Internal Environment

What to • Amendments to the PDPA and • Systems or processes (that

monitor? PDP Regulations process personal data) which are
• Issuance of new resources from being newly designed or
the PDPC undergoing major changes
• Changes to sector-specific • New business engagement or
regulations business model
• Data breaches in other • Feedback from stakeholders (e.g.
organisations direction from senior
• Data protection best practices by management, complaints/
other organisations feedback from customers)
• Technological changes or • Data incidents
emerging technologies that
might result in increased data
protection risks

How to • Sign up with DPO Connect to get • Conduct DPIAs on systems

monitor? updates on data protection and processes (that process
developments and related events personal data) that are being
• Subscribe to reporting services and newly designed or undergoing
circulars by law firms to get major changes
updates on legislative and • Conduct staff surveys to
regulatory developments understand data protection
• Attend data protection-related awareness or feedback on
conferences and training data protection practices in
• Research on developments in the organisation
data protection • Attend to feedback
from customers

Notify Stakeholders on Changes to Data Protection Policies and Practices

Organisations should keep stakeholders apprised of the changes to

their policies or practices as part of their training and communication
plan, as suggested in Culture of Accountability and Staff Training on
page 10 of this guide.

An organisation’s data protection policies and practices should be

accessible by stakeholders. For example:
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 33

Store information on these policies and practices on the

organisation’s repository for all staff’s reference (e.g. Intranet)
and create awareness through regular staff update emails

Work with outsourced vendors to disseminate the information

to their staff who are handling the organisation’s personal data

Update the information onto the organisation’s website

and push updates to customers through emails, newsletters
or other CRM channels

Validate the DPMP

Organisations may choose to validate their DPMP through an external

review. For example, they may seek to certify their data protection
practices through the DPTM Certification. These are good practices to
provide their stakeholders with the confidence and assurance that the
organisation has put in place robust data protection measures in line
with the PDPA and comparable to industry standards.

Review by Getting the DPMP validated by an external party helps ensure that the
external organisation’s data protection policies and practices are robust and
party comparable to industry standards.

Apply for The DPTM is a voluntary enterprise-wide certification that helps

DPTM organisations demonstrate accountable and responsible data
certification protection practices. Obtaining the DPTM certification demonstrates
to customers that the organisation has robust data protection policies
and practices in place to safeguard their personal data. DPTM-certified
companies could look forward to:

• Increased business competitiveness by strengthening the

organisation’s reputation, building trust and fostering confidence in the
organisation, raising its competitiveness both locally and overseas; and
• Validation of the organisation’s data protection governance and
protection standards and practices, as well as identification of
potential weaknesses which will allow the organisation to take steps
or put in place remedial measures to mitigate the risks.

For more information, please visit IMDA’s website.

34 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

ANNEX A: ILLUSTRATION OF THE DPO IN AN

ORGANISATION
(A) Personnel within senior management appointed as the DPO

Senior Management

Regional OR Group DPO

Personnel appointed from senior management team that
• oversees all personal data protection-related matters;
• oversees data transfer activities; and
• provides leadership guidance on personal data protection law
in local and/or other jurisdictions.

(B) A group of personnel appointed (with support from the Audit and Legal departments)

Senior Management

Supported by (optional)

DPO Internal Audit

Group of personnel Independent assurance when checking the
appointed by senior organisation’s adherence to the PDPA
management team with
specific personal data Legal
protection-related job scopes Legal opinion on PDPA-related matters

Department Representative
Responsible for personal data protection measures and awareness in respective
departments

Communications
Responsible for external communications on matters relating to the PDPA

Access and Correction Request Handling

Responsible for handling access and correction requests from the public

Incident Response
Responsible for handling complaints and incidents related to the PDPA
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 35

ANNEX B: TRAINING AND COMMUNICATION

INITIATIVES IN A TYPICAL EMPLOYMENT JOURNEY
Training Communication Target Audience
(Illustrative) (Illustrative) (Illustrative)
•B
 riefing on the •A
 ccess to an internal • All staff
On- fundamentals of the repository on data
boarding PDPA protection matters
(e.g. policies)
• In-depth training on • Staff handling
On-the-job
organisation’s data personal data
assignment
protection processes (e.g. HR, Sales
and Marketing)
• In-depth training on
Change in specific data
job scope protection process, if
any
•R
 efresher on the • Reminders on data • All staff
fundamentals of the protection policies
PDPA and processes
Ongoing • Briefings on specific • Update on any
data protection changes to data
policies and processes protection policy on
processes
• In-depth training on • Staff with greater
Promotion specific data responsibility over
protection process, personal data
if any protection
• Requirements on • Staff who are leaving
Exit proper handling of the organisation
personal data upon
exit (e.g. not misusing
personal data handled)

DPOs can refer to the suggested training types in the following table to develop their training
and communication initiatives.

No Type Timing Target Details How

1 Board of • At the start of • Board of • Awareness and • PDPC events
Directors’ the Directors support of (e.g. seminars,
support organisation’s personal data briefings)
personal data protection risks
• Briefings to Board
protection
• Inclusion of of Directors by
journey
personal data external vendors
• Periodically, protection risks
when corporate into corporate risk
risk register14 is management
reviewed framework

14
A risk register is a tool for documenting risks and actions to manage each risk. It provides an organisation with a list of
identified risk to assist in risk management.
36 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

No Type Timing Target Details How

2 Senior • At the start of • Senior • Rationalise • PDPC events (e.g.
management the management business benefits seminars,
buy-in organisation’s of personal data briefings)
personal data protection
• PDPC’s E-learning
protection
• Highlight Programme
journey
importance of
• PDPC’s sectoral
• Periodically personal data
briefings
(e.g. during protection and
formulation of implication of data • Training by
annual internal breaches external vendors
audit plans)
• Highlight the key
roles of senior
management in
personal data
protection
• Establish risk
reporting structure
to identify and
manage risk
• Implement internal
audits to evaluate
effectiveness
3 PDPA • Onboarding • All staff • Educate staff on • PDPC’s E-Learning
training of staff the PDPA and the Programme
organisation’s data
• Ad-hoc when • In-house trainings
protection policies
there is a or briefings by the
and processes
revision to the DPO on data
PDPA, PDPC • Make available protection policies
guidelines or data protection and practices
organisation’s training materials
• Training by
data protection on an accessible
external vendors
policies and platform (e.g.
practices intranet) • eDMs, posters,
videos,
• Suggested topics
organisation’s
include:
intranet, circulars
a. Importance of to inform and
personal data update staff on
protection organisation’s new
b. Main obligations or revised data
under the PDPA protection policies
c. The and practices
organisation’s
personal data
protection
policies and
processes
d. Business
benefits of
increased
accountability
to data
protection
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 37

No Type Timing Target Details How

4 In-depth • Upon • Staff handling • Develop targeted • PDPC sectoral
PDPA assignment to a personal data data protection briefings
training specific job role training aligned
• An Introduction to
specific to or change in with organisation’s
the Fundamentals
internal role/job scope internal policies
of Personal Data
policies and and processes
• When there are Protection Act
processes
new data (under the
protection Business
policies or Management
processes WSQ)
• Practitioner
Certificate in
Personal Data
Protection
(Singapore)
Preparatory
Course
• Training by
external vendors
5 Refresher • On a • All staff • Provide a refresher • Remind or update
courses periodic basis course for all stakeholders on
(e.g. annually) employees to the organisation’s
refresh their data protection
• Ad-hoc when
knowledge and practices and
there is a
facilitate policies through
revision to the
compliance to the newsletters, eDMs,
PDPA, PDPC
PDPA posters, videos,
guidelines or
organisation’s
organisation’s • Circulate updated
Intranet, circulars,
data protection materials on
roadshows, town
policies and personal data
hall or brown bag
processes protection
discussions
• PDPC events
(e.g. seminars,
briefings)
6 Obtain • As part of • The DPO and • Attend personal • Certified
professional career staff who are data protection- Information
certification development part of the related trainings to Privacy Manager
DPO’s team be updated of the Programme
regulations and
• Certified
requirements
Information
• Obtain personal Privacy
data protection Technologist
certification Programme
• Certified
Information
Privacy
Professional Asia
Programme

For more information on help for organisations, please refer to the PDPC’s website.
38 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME

ANNEX C: DATA INVENTORY MAP AND DATA

FLOW DIAGRAM
Option

1) Data Inventory Map

e
trativ
s
Illu

Pros Cons

• Easy to develop, maintain and • Lacks visual representation of

update data flow
• Does not require high-level • Limited representation on
software and skills interconnectivity of personal data
• No limitations on recording of
information
• Effective for extensive and
complex data flows
 GUIDE TO DEVELOPING A DATA PROTECTION MANAGEMENT PROGRAMME 39

2) Data Flow Diagram

ive
strat
Illu

Pros Cons

• Handy for quick reference • Challenging to develop and

• General flow of personal data maintain
can be easily understood • Information to be presented is
• No technical knowledge is limited depending on size and/
required to understand with or type of personal data
simple notation • Might not be effective for large,
• Effective for small, interconnected data
interconnected data
#SGDIGITAL
Singapore Digital (SG:D) gives Singapore’s digitalisation
efforts a face, identifying our digital programmes and
initiatives with one set of visuals, and speaking to our
local and international audiences in the same language.

The SG:D logo is made up of rounded fonts that evolve

from the expressive dot that is red. SG stands for
Singapore and :D refers to our digital economy. The :D
smiley face icon also signifies the optimism of Singaporeans
moving into a digital economy. As we progress into the
digital economy, it’s all about the people — empathy and
assurance will be at the heart of all that we do.

BROUGHT TO YOU BY

Copyright 2021 — Personal Data Protection Commission Singapore (PDPC)

This publication gives a general guide to establishing a Data Protection Management

Programme (DPMP). The contents herein are not intended to be an authoritative
statement of the law or a substitute for legal or other professional advice. The PDPC
and its members, officers, employees and delegates shall not be responsible for any
inaccuracy, error or omission in this publication or liable for any damage or loss of
any kind as a result of any use of or reliance on this publication.

The contents of this publication are protected by copyright, trademark or other forms
of proprietary rights and may not be reproduced, republished or transmitted in any
form or by any means, in whole or in part, without written permission.