yt’s Data Protection Governance Framework – Volume 2

About the Author

Yang Yen Thaw

Law & tech is a persuasion, management consultancy a profession, and teaching a passion

Yang Yen Thaw is a corporate lawyer, coach, and holds various certifications as AI consultant, management consultant, Associate Adult Educator, ACLP+ACTA, and CIPM+PC:PDP(S) (data protection). He has held senior management and executive positions in management and law in listed as well as private limited companies with businesses spanning the world. He ran his own law firm for 12 years from 1999-2010. Since then, he has held various positions as partner in law firms, GC, CLO, Chief Data Protection Consultant, DPO, management consultant, corporate trainer, and a professional coach.

He was the speaker for an online seminar on PDPA and Data Governance for Smart Nation X conducted on 13 August 2021, which was jointly organized by the Prime Minister’s Office, SkillsFuture Singapore, and ntuc LearningHub. Yen Thaw has also been speaker and teacher for critical thinking and business negotiations for e2i, SkillsFuture, and PA in Singapore since 2021.

Yen Thaw is a regular trainer and consultant on data protection, AI, cybersecurity, and critical core skills. He has trained over 3,000 students comprising individuals and employees from over 100 companies ranging from public listed companies, public agencies (students from MHA, MOH, CSA, IMDA, PDPC), public sector companies, SMEs, educational institutes, PAP community schools, town councils, and their managing agents as well.

His work also covers consulting and teaching covers the following business areas:

Artificial Intelligence for Business & Enterprise

Business Negotiations

Critical Core Skills: Design Thinking, Critical Thinking 4.0

Data Protection + PDPA

Entrepreneurship, internationalization, and cross-border business

Joint Ventures, Mergers & Acquisitions

Law & Intellectual Property

Leadership & Management

Tech subjects: CyberSecurity, IoT

Yen Thaw has designed various original frameworks such as - Critical Thinking powered by QUESTS©, design thinking model – DT D.E.S.I.G.N. (also a Design Thinking for Data Protection course that was approved by IMDA/PDPC as well as WSG.), and DPGF – Data Protection Governance Framework. He has also designed, developed, and run his own courses such as – Artificial Intelligence for Business in Industry 4.0 – demystified, Surviving the Future of Work (Industry 4.0) With Critical Thinking (Powered by QUESTS©), and Cybersecurity Basics.

He has been consistently awarded Trainer Excellence Award by ntuc LearningHub for Overall Training Hours and Performance and Technology" since 2021.

Glossary

Definitions – in the context of Singapore

Data Protection Governance Framework

The Data Protection Governance Framework at a glance:

Continued from Volume 1

Plan

The Personal Data Protection Act 2012, Singapore

For ease of reference, the following abbreviations will be used:

BCI:    Business contact information

BCR:    Binding Corporate Rules

CUD:    Collection, use, and/or disclosure

DNC:    Do Not Call

P&P:    All corporate documentation used in running the organization and includes policies, processes, procedures, contracts, manuals, SOPs, etc.

PD:    Personal Data

PDPA:    Personal Data Protection Act 2012

All developed countries have data protection or privacy law. The primary law dealing with personal data in Singapore is the Personal Data Protection Act 2012, which came into effect on 2 July 2014, and its regulations. PDPA keeps and maintains Singapore’s approach to being business-friendly in mind.

PDPA regulates the collection, use, and disclosure of personal data by organizations in Singapore and provides individuals with certain rights over their personal data. Under PDPA, organizations are required to obtain an individual's consent before collecting, using, or disclosing their personal data. They must also ensure that personal data is kept secure and not disclosed without proper authorization. PDPA also requires organizations to appoint a Data Protection Officer to ensure compliance with the Act and handle data protection-related matters.

Though most organizations may adopt a generic email id for DPOs such as [email protected], though there needs to be a named DPOs that can be registered with ACRA – the Accounting and Corporate Regulatory Authority. ACRA is the regulator of business registration, financial reporting, public accountants, and corporate service providers. ACRA is also responsible for developing the accountancy sector and setting the accounting standards for companies, charities, co-operative societies, and societies in Singapore.

PDPA also establishes the Personal Data Protection Commission (PDPC), which is responsible for enforcing the Act and investigating complaints related to data protection. The PDPC has the power to impose fines and other penalties on organizations that violate PDPA.

PDPA Approach

Organizations must ensure compliance with the obligations within individual departments and not the organization as a whole.

The general approach of PDPA is to be technology neutral, principles-based, and compliant-based. Which means:

PDPA, in the words of PDPC, has been enhanced from 1 February 2021 which saw substantial amendments. Prior to the amendments, any public agency, or an organization while acting on behalf of a public agency in relation to the collection, use