chapter 5 Flashcards
what is data Protection Management Programme
–> builds a strong foundation for data protection within the organisation
DPMP FULL FORM
data Protection Management Programme
what are DPMP SECTIONS
governance and risk assessment
policy and practices
processes
maintenance
what is the purpose of the DPMP
–> Helps organizations demonstrate accountability in data protection
–> Stakeholders and Regulators: Ensures compliance with data protection regulations and addresses the concerns of stakeholders and regulatory bodies
–> Customers and Business Partners: Builds trust and confidence by safeguarding personal data and respecting privacy rights
–> Business Competitiveness: Enhances competitive advantage by demonstrating a strong commitment to data protection and establishing a positive brand image
what are the 2 aspects in governance and risk assessment
Governance Structure
Values Risk Assessment
what is the role of Senior Management
- Defining corporate values that are aligned with data
protection - Allocating resources to data protection
- Appointing a Data Protection Officer (DPO)
- Managing personal data protection risks
- Providing guidance on data protection initiatives
- Supporting data protection policies and programme
- Commissioning Data Protection Impact Assessments
- Advocating data protection training
- Providing directions to the DPO
what is the role of data protection officer
Implementing policies and processes for handling personal data
Fostering a data protection awareness and culture
Managing personal data protection
Communicating to management of any data protection
related risks
Liaising with the PDPC
it is __________ to appoint a data protection officer in singapore
compulsory
who does the DPO report to ?
chief internal audit
chief legal officer
The DPO operations may be outsourced to a service provider, however the DPO responsibility remains with _____________
a member of the senior management
what is data protection as a service
when the DPO operations are outsourced to a service provider
Protecting personal data is the responsibility of
______
everyone in the organization
what is the Culture of Accountability and Staff Training
- Personal data protection education for all staff, from Board to Senior Management to Staff
- Trainings and briefings on personal data protection should be tailored to job functions
- Regular staff communication circulars to include personal data protection topics
what should the senior management have an understanding of ?
Senior management should have an understanding of risks and review how risks affects the organisation
what are the 4 types of risks
Strategic
*Affects achieving company strategic objectives
*e.g. governance, strategic planning
Operational
*Affects organisational operations
*e.g. sales and marketing, production
Compliance
*Affects organisational compliance with regulations
*e.g. legal, code of conduct
Financial
*Affects organisational financial process
*e.g. reporting, tax
To manage risks, senior management should ensure that data protection is incorporated into their___________
Risk Management framework
what are the 3 things needed for corporate governance
policies
practices
communication
what are the 2 data privacy policies
To comply to Personal Data Privacy regulations
To set expectations for individuals
what are the Policies that needs to be explained
What data is collected
Why the data is being collected
What do you plan to do with the data
Contact details for any questions or concern
what are the Policies that needs to be understood
Use plain language
Frequently Ask Questions
Structured for the user
Easily accessible
what is Data Protection by Design
Practicing personal data protection throughout the project’s operational life cycle
benefits of Data Protection by Design
Identifies personal data protection issues early
Increases personal data protection awareness
Complies with PDPA obligations
what is Data Privacy Communication
Organisations should ensure that personal data protection policies are communicated clearly and upfront
different ways of communication
Notification
*Publish policies and other information in simple language
*Use relevant channels (e.g. websites) that are easily accessible
Consent
*Ensure that users understand what they are consenting
*simple and clear consent clauses at appropriate touchpoints
Policy Updates
*Communicate any policy or service updates
*Communicate separately from other marketing messages
Interaction with Users
*Ensure staff interacting with users are trained in policy content
*Ensure staff sensitivity in handling data privacy feedback and queries
Access, Correction, and Complaint Handling
*Provide accessible channels for users requests
*Ensure proper processes and prompt response
what are the 3 processes
Risk Identification and Mapping
Risk Remediation and Controls
Risk Reporting and Breach Management
what are Risk Remediation and Controls
To implement of systems-based or process controls
what are Risk Identification and Mapping
To identify and map risks relating to personal data
what are Risk Reporting and Breach Management
To monitor and report occurrence of risks and breach To implement of systems-based or process controls
what are the 3 tools used for identifying and mapping risks
–> Data Inventory Map – cataloguing personal data that
includes, collection, use, disclosure, storage, disposal
–> Data Flow Diagram – depicts the movement of that
data through internal systems and external transfers
–> Risk Register – records risks associated with the
personal data and how it is used, likelihood and
consequences of risk occurring
what are 5 Risk Remediation and Control
- Identify where personal data is stored
- Determine level of security controls required
- Apply controls on systems/infrastructure that stores
personal data - Implement process controls to approve, review and
manage access rights - Build data protection measures during the software
development lifecycle
how can you manage a data breach (Risk Reporting and Breach Managemen)
To manage breach by
* Containing the breach
* Assess the risk
* Reporting the incident
* Evaluating appropriate response and recover procedures
what are the 3 steps in monitoring
review
audit
monitor
what happens in Reviewing Policies and Practices
Changes in environment may require revisions to
data protection policies and processes.
Organisations will have to decide whether the reviews
should be applied immediately or periodically
when should the immediate reviews happen
Major data leakage incident
Legislative or regulatory amendments
Organisational changes
what are the periodic changes
Revision of data protection policies and
processes at regular intervals
Batch review of occurrences of minor
incidents
how should organisations conduct an audit monitor
Organisations can conduct an audit monitor and
evaluate the overall implementation of their data
protection policies and processes
This could be done by
* An internal audit on a periodic basis
* An ad-hoc inspection or walk-through
* Obtaining and maintaining certifications for the
organisation’s data protection measures
what should a organization do to monitor changes
Organisations need to keep up to date with
changes and developments within and outside
the organisation
what does the external monitoring environment include
Amendments to regulations
Data best practices or data incidents in
other organisations
Technological changes or emerging
technologies
what does the internal monitoring environment include
New or updated systems or processes
New business model
Data incidents or feedback/complaint
