Legal Bulletin November 2017

Home : Publications:Legal Bulletin November 2017

Published date: 29 Nov 2017

PDPC releases Guide to Developing a Data Protection Management Programme and Guide to Data Protection Impact Assessments

On 1 November 2017, the Personal Data Protection Commission (“PDPC”) published the following two new guides on its website to provide guidance and encourage accountability in personal data management:
·         Guide to Developing a Data Protection Management Programme (DPMP): This guide seeks to help organisations develop or improve their personal data protection policies and practices through the implementation of a DPMP. Organisations may benchmark their existing personal data protection policies and practices against this guide. A DPMP is a systematic framework to help organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data as well as defines roles and responsibilities of the people in the organisation in relation to personal data protection. The guide sets out the following suggested steps which organisations may follow to develop their DPMP:
-       Develop a data protection policy;
-       Designate data protection roles, responsibilities of the people;
-       Design processes to operationalise policies; and
-       Detail ways to stay relevant.
·         Guide to Data Protection Impact Assessments (DPIAs): This guide provides an introductory outline of key principles and considerations for organisations, especially those without any measures or tools to address specific personal data protection risks, on conducting a DPIA for systems and processes. Data protection risks are best addressed when the system or process is
(i) new and in the process of being designed, or (ii) in the process of undergoing major changes. Some examples of when to conduct a DPIA include:
-       Creating a new system that involves the handling of personal data (e.g. new website that collects personal data);
-       Creating a new process, including manual processes, that involves the handling of personal data (e.g. receptionist collecting personal data from visitors);
-       Changing the way that existing systems or processes handle personal data (e.g. redesign of the customer registration process); and
-       Changes to the organisational structure that affect the department handling personal data
(e.g. mergers and acquisition, restructuring).
An effective DPIA should involve relevant stakeholders from various functions of the organisation (e.g. the project manager, the Data Protection Officer, IT department) and where needed, relevant external parties (e.g. subject matter experts), to identify, assess and address the data protection risks. The person leading the DPIA should ideally be the project manager or the Data Protection Officer.
Reference materials
Please click here to access the guides on the PDPC website
For further information, please contact:
+65 6890 7883
+65 6890 7852
+65 6890 7526
+65 6890 7627
+65 6890 7833

<Back to Legal Bulletin November 2017

Find a Publication

For more information on Singapore law, please go to: