What is involved in complying with the PDPA?

Published in

DataFrens.sg

4 min readJun 18, 2022

Many organisations still do not know what is involved in complying with the PDPA.

One organisation told me they have gotten a lawyer to help them with the compliance, and the lawyer wrote a few pages as the Privacy policy. When I asked the DPO about the Data Inventory Map, how the various obligations are complied, and so forth, the DPO does not know any of these. So we can see that even the lawyer is not familiar with the setting up and implementation of the PDPA, and did not provide guidance in the implementation.

Another organisation told me they have gotten one of the top management consultant to help their organisation comply with the PDPA, and they asked me to review the document and I learned that they too only have the Privacy policy. Likewise, the DPO does not know what is the Data Inventory Map, etc.

It seems that consultants who are not versed in the PDPA are offering PDPA compliance services and it will do more harm than good because it ended up like a “Paper-compliance” or giving the organisation a false sense of compliance. Thus I have drawn a diagram below which will present to you what is involved so that you can see the whole process and the documentation need and not get a false sense of compliance by those who are providing PDPA compliance services though they do not know how.

**Copyright**: SG Venture Consulting 2022

Estimated Duration to complete the above: 3 months

Month 1: Crafting the Data Flow diagram and Inventory map, and gathering of various information about the organisation. Offer stream-lining of the data flow if needed as a value-add.

Month 2: Conduct the organisation’s data flow Risk analysis (Privacy Impact Assessment), and the design of appropriate controls (Technical, Administrative, Physical) to mitigate these risks.

Month 3: Drafting and compilation of the Data Protection Management Programme (DPMP); includes various documents as shown in the diagram.

NOTE: The initial setup will take up some time, but after that will be the implementation. PDPA is not about giving more work to the organisation. It is guiding organisation to enhance their existing data flow so as to better protect the personal data in their possession.

Step 1: Appoint a PDPA trained personnel in senior management position as the Data Protection Officer (DPO), and also get the various departmental heads or data handlers as the Executive DPO (eDPOs) so as to form the Data Protection Team (DP Team). Advise the team and data handlers to go for the PDPA training developed by PDPC.

Step 2: The DP Team will work together to complete the Data Flow Diagram and the Data Inventory Map. The DP Team will also need to put together some other information about the organisation.

Step 3: Once the above is completed, the DP Team will need to conduct a Risk analysis based on what they have drafted concerning the organisation’s data flow. Then the appropriate controls will need to be introduced to mitigate these risks.

Step 4: Next will be the various documentations in the Data Protection Management Programme (DPMP) as indicated in the diagram above.

* The Purple text are all the PDPA Obligations, organisation needs to comply.

If the staff are not able to put together all those mentioned above, or if they are already quite tight-up with their job roles, organisation can engaged competent PDPA consultants to assist in the whole compliance plus coaching the staff through the process. Take it as not only a consultation activity but also a training development for the management staff concerning the PDPA.

Once the DPMP is completed, and if the organisation is interested to apply for the Data Protection Trustmark Certification (DPTM), another 4 to 8 weeks will be required to go through the DPTM application which will involve conducting a DPIA, doing a self-assessment, getting the approved DPTM Assessment Body to conduct the audit. Once passed, IMDA will issue the DPTM according. Organisation can also apply grant for processing the DPTM application.

About the Author:

Patrick Oh is an Enterprise Singapore approved certified management consultant and solutions designer (both technical solutions and programmes)

He is also the trainer for the Fundamentals of the PDPA and also the one day DPTM Awareness course by Tuv-Sud.

He is also an ISO 31000 Risk Management professional, ISO 27001 & 27702 Lead Auditor providing PDPA consultancy in Singapore and the Asia region.