The PDPA and Third-Party Risk Management

The Singapore Personal Data Protection Act (PDPA) delivers guidelines for ensuring third-party data security and protection. We review key PDPA requirements and share best practices for simplifying the compliance process.

By:

Scott Lang

VP, Product Marketing

March 28, 2023

The Personal Data Protection Act (PDPA) is a Singapore law that governs the collection, use and disclosure of an individual’s personal data. This post reviews the important third-party considerations in the PDPA and identifies critical capabilities to address the requirements.

About the Personal Data Protection Act

First enacted in 2012 and revised in 2020, the PDPA recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use and disclose that data for reasonable purposes. That means organizations must work with their third-party data handlers to ensure they have sound data protection practices in place. Failing to comply with PDPA provisions could result in a financial penalty of 10% of the organization’s annual turnover or up to S$1 million, whichever is higher.

To provide guidelines for organizations with customers in Singapore, the PDPA includes “Data Protection Provisions” that address:

Having reasonable purposes, notifying purposes and obtaining consent for the collection, use or disclosure of personal data;
Allowing individuals to access and correct their personal data;
Taking care of personal data (which relates to ensuring accuracy), protecting personal data (including protection in the case of international transfers), and not retaining personal data if no longer needed;
Notifying the Singapore Data Protection Commission and affected individuals of data breaches;
Having policies and practices to comply with the PDPA.

The PDPA includes ten obligations, with one – the Protection Obligation (Section 24) – applying most directly to third-party data processor outsourcing. However, the PDPA does not mandate specific processes or technologies to address third-party data protection. Instead, it published Advisory Guidelines on Key Concepts in the PDPA (Revised 17 May 2022) that allow organizations flexibility in implementing appropriate data protection controls.

The PDPA Third-Party Compliance Checklist

Download the PDPA Third-Party Compliance Checklist to reveal third-party considerations in the law and identify key third-party risk management capabilities that can help you address its requirements.

Read Now

Advisory Guidelines on Key Concepts in the PDPA: How to Comply with TPRM Requirements

it is critical to ensure that third parties use the strongest security controls when storing, managing or maintaining your organization's customer data. This section maps best practices to select articles in the PDPA to help your data privacy teams ensure that third parties are meeting data protection obligations.

NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.

The Data Protection Obligation, 17.3 c)

The PDPA requires organizations to “Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity.”

To address these requirements, organizations should consider defining the following criteria as part of their third-party risk management program:

Governing policies, standards, systems and processes to protect data
Clear roles and responsibilities (e.g., RACI) for all members of the team
Risk scoring and thresholds based on your organization’s risk tolerance
Assessment and monitoring methodologies based on third-party criticality
Fourth-party mapping to determine upstream dependencies
Sources of continuous monitoring data (e.g., cyber, business, reputational, financial) to provide constant insight into emerging risks to data
Contractual key performance indicators (KPIs) and key risk indicators (KRIs) to measure against
Reporting to meet the needs of multiple internal (and external) stakeholders
Risk mitigation and remediation strategies, including the applicability of compensating controls

Many organizations choose to align with an accepted risk management framework, such as ISO, to accomplish this. If you are looking to automate the process of measuring your TPRM program against an industry framework, be sure to select an assessment platform that provides several pre-built questionnaire options that align with multiple frameworks.

The Data Protection Obligation, 17.3 d)

The PDPA requires organizations to “Be prepared and able to respond to information security breaches promptly and effectively.”

Rapidly identifying, responding to, reporting on, and mitigating the impact of third-party vendor incidents is impossible to achieve manually or without a solid incident management foundation. Key capabilities to examine as part of your incident response program include:

Continuously updated and customizable event and incident management questionnaires to maintain flexibility in the face of ever-changing threats
Real-time questionnaire completion tracking to ensure acceptable progress is being made
Defined risk owners with automated chasing reminders to keep surveys on schedule
Proactive vendor reporting to enable third parties to self-identify incidents
Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
Guidance from built-in remediation recommendations to reduce risk
Built-in report templates
Data and relationship mapping to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data

The Data Protection Obligation, 17.4

PDPA suggests that organisations undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate. In so doing, the following factors may be considered:

a) the size of the organisation and the amount and type of personal data it holds;

b) who within the organisation has access to the personal data; and

c) whether the personal data is or will be held or used by a third party on behalf of the organisation.

To address these suggestions, consider the following capabilities:

Self-Assessments

Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. The PIA evaluates the origin, nature, and severity of the potential risk. It also provides recommendations to mitigate identified risks, ensuring future compliance with privacy regulations.

Third-, Fourth- and Nth-Party Data Discovery and Mapping

Assessments and passive scanning can enable relationship mapping to trace data transfers between business relationships, identify where data exists, where it flows, and who it is shared with outside the organization.

Vendor Risk Assessments

Examine third party data privacy controls against PDPA using a common framework such as ISO. Specific questionnaire content helps to identify risks and map them to controls for a clear view of potential hot spots. As part of this process, continuously monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Risk Response and Remediation

Establish thresholds and automate risk identification based on them. Leverage workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition. Offer third parties prescriptive remediation recommendations to hold them to account.

Compliance Tracking and Reporting

Structure compliance reporting against PDPA requirements using a common industry framework such as ISO. That will enable you to automatically map risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to provide visibility into data security.

Continuous Breach Event Notification Monitoring

Stay on top of potential risks to data by monitoring data breach databases. They will provide insight into types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

How Prevalent Helps Address PDPA TPRM Requirements

Organizations that must comply with PDPA should ensure that third parties with whom they share personal information have controls in place to protect that information. Prevalent offers organizations with a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:

Sets a strong foundation for third-party data protection with a comprehensive TPRM program
Delivers visibility into where privacy data is, how it flows, and who has access to it
Speeds risk identification and remediation, mitigating breach costs and reputational damage
Generates targeted reports for regulators, vendors and internal stakeholders
Continuously monitors for breaches and accelerates incident response to mitigate the risk of a damaging and expensive data security incident

With Prevalent, vendor, security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks.

For more information about Prevalent solutions for PDPA compliance, download our comprehensive PDPA compliance checklist or schedule a demo.

Tags: Compliance