The Data Protection Provisions of the Personal Data Protection Act (“PDPA”) comprises nine main obligations which organisations must comply with when undertaking activities relating to the collection, use or disclosure of personal data. In the course of meeting these obligations, organisations are required to develop and implement policies and practices that are necessary for the organisation to comply with the PDPA. These policies and practices should be evident through organisations’ Data Protection Management Programme (DPMP
Introduction to Data Protection Impact Assessments
DPIAs could be conducted on systems (e.g. public facing websites, cloud storage platforms, Customer Relationship Management (CRM) systems) and processes (e.g. going through a health screening and receiving the medical report, purchasing an item from an online portal and receiving the item from a courier).
The key tasks in a DPIA include:
- Identifying the personal data handled by the system or process, as well as the reasons for collecting the personal data
- Identifying how the personal data flows through the system or process
- Identifying data protection risks by analysing the personal data handled and its data flows against PDPA requirements or data protection best practices
- Addressing the identified risks by amending the system or process design, or introducing new organisation policies
- Checking to ensure that identified risks are adequately addressed before the system or process is in effect or implemented
This guide provides an introductory outline of key principles and considerations for organisations, especially those without any measures or tools to address specific personal data protection risks, on conducting a DPIA for systems and processes.