Data Protection & PDPA

With Personal Data Protection Act set to come into effect on June 1st, 2022, organizations across the country must ready themselves to comply with the new regulations. Being adequately prepared entails understanding the PDPA and effectively communicating its implications with everyone in the organization who has access to personal data.

Assessing current data collection practices

The first step of preparation is to comprehensively assess your organization’s personal information collection and use practices by carrying out a detailed gap analysis. At this stage, special attention should be paid to the areas of greatest regulatory risk. Compliance with new regulations is a work in progress that can pose significant challenges, but by focusing on basic principles, key requirements, and the building blocks of data privacy, your organization should be well-equipped to adhere to the new regulatory requirements. 

A designated lead, Data Protection Officer (DPO), should be appointed to determine which employees deal with client data and inform them of how the new regulations may affect their day-to-day tasks. The organization must then determine how much personal data it has access to and where it is all stored, including personal devices. This process will involve a careful assessment of local and cloud-based operating systems, personal and company mobile devices, spreadsheets and databases, paper records, personal files, handwritten notes, and any other places where data could conceivably be located. Once we have a full grasp of all the personal data your organization currently holds, we must then clearly define your purpose for holding it. Under the PDPA, this purpose must be “specified, explicit and legitimate”.

Gaining consent

When seeking consent to use someone’s data, you should be completely transparent about your intentions. The simplest way to achieve this is with a short privacy notice that is as plainly written as possible. Individuals need to know exactly what you plan to do with their data, how long you will hold it, who else you will share it with, and why – this is the bare minimum. However, it is also good practice to provide whatever additional information you feel will help your potential customers make an astute decision.

Moreover, there is a fundamental difference between telling a person that you’re going to use their personal data and getting their consent. For your use of an individual’s personal data to be both ethical and compliant with the PDPA, the individual in question must positively opt in. If your consent mechanism consists solely of an “I agree” box with no supporting information, it won’t be considered valid.

You will also need to regularly remind clients of when consent will expire and send them a new privacy notice if you wish to collect and use their data again. To manage this, an update of your systems and processes may be required.

Be ready for data breaches

Under the PDPA, a data breach is defined as an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”. The PDPA compels organizations to report certain types of data breaches to the regulator and to the affected individuals. To be PDPA compliant, you need to be able to demonstrate that you have appropriate technical and organizational measures in place to detect, investigate and report data breaches.

Make a plan and seek support if needed

You’ll need to have a strategy in place to ensure your organization is ready for the May 27th deadline. You’ll also need time to test out any new systems and processes. If you have any doubts or questions about your organization’s ability to meet PDPA requirements, reach out and speak with other trusted business leaders in your sector. Better yet, Pimclick will be offering more in-depth PDPA information sessions.

Pimclick is a digital marketing and tech agency that not only specializes in all marketing tasks but also cybersecurity and coding to make sure that you are well within the safety zone of the internet. With the PDPA fully in effect, Pimclick has learned ways of improving a company’s security in terms of data and website. Our services include areas in front-end and back-end coding, application development, control quality & security, etc. If you would like to hear more from us, contact us directly and we will assist you.

 Click here to contact us