Singapore’s Personal Data Protection Act (Act) came into force in January this year. Companies have 18 months to ensure that they are in compliance with the new Act. In order to be compliant with the Act, companies need to implement organisational and process changes, which is why the government has given companies 18 months to make sure they can effect the changes in time.
In order to assist our clients roll out their compliance program, Rodyk has developed a proactive program designed to help a company kick start the process of compliance with the Act in all business units. The program consists of three phases. Clients can choose whether they wish to engage Rodyk on any of the phases. The three phases are:
Phase 1 – Rodyk will conduct a workshop for all relevant departments in the client organisation
Generally, only legal officers or compliance officers will attend general talks organised by law firms for their clients. In the case of the Act, legal officers already know that the organisation needs to do something to bring about compliance. Different units of an organisation may be collecting data through different means. However, the personnel in the different units may not know about their obligations under the Act.
The purpose of this workshop is to educate the leaders of the different units of an organisation on the Act, so that they can review their own processes regarding data collection, use and disclosure, and determine whether or not they need to go on to Phase 2. The talk will cover an organisation’s duties under the Act, and will be targeted at the organisation’s industry as we understand it.
The deliverable at the end of Phase 2 is an on-line questionnaire to be completed by the various units of the organisation. The score achieved by each unit will be a guide for the organisation to determine whether the unit needs to go into Phase 2.
Phase 2 – Audit
The organisation will determine whether it needs to go on to Phase 2. Phase 2 is scalable as we can carry out the audit for one business unit or a number of business units, as required by the organisation. Leaders of business units who have attended the talk in Phase 1 should be consulted as to whether their business unit wishes to proceed to Phase 2.
In Phase 2, Rodyk will meet up with the personnel identified by the organisation for the business unit undergoing the audit. Rodyk will:
- ascertain how the personal data is collected, stored and used by the business unit;
- analyse the results of the diagnostic exercise; and
- provide a proposal for compliance with the Act.
The organisation will determine whether it wishes to proceed to Phase 3. In Phase 3, Rodyk will carry out the steps needed for compliance with the Act, as identified in Phase 2. Phase 3 is also scalable in that the organisation can decide what it requires Rodyk’s assistance on, and what it can do in-house.
Upon completion of the three phases, the organisation would have taken the steps needed to ensure compliance.