SINGAPORE (July 22): Personal data protection is never far from the mind of Tan Swee Wan, CEO of TRS Forensics. The technology-based consulting firm is one of only a dozen companies that have earned the Infocomm Media Development Authority’s (IMDA) Data Protection Trustmark (DPTM) certification, which was officially launched in January this year.
“In the course of our engagement with clients, TRS Forensics handles a lot of personal data that our clients [have] collected and have the obligation to protect,” Tan tells The Edge Singapore. “It is therefore of utmost importance that we put in place sound mechanisms to protect our clients’ and our own confidential and personal data.”
Already, the DPTM has come in handy. Soon after TRS Forensics obtained it, the company found itself up against several well-known international competitors bidding for a high-value forensics technology project. The DPTM caught the eye of the client, a large European MNC, and TRS Forensics went on to win the contract.
The future digital economy is expected to generate large amounts of personal data, which increases the risks of data breaches and misuse. But companies such as TRS Forensics see a field of opportunity in the increasingly important sector, even as Singapore ramps up its plans to become the regional leader in data protection.
Minister for Communications and Information S Iswaran on July 17 announced a new framework and training roadmap to provide a clear pathway for data protection officers (DPOs) to upskill and progress in their careers.
Under Singapore’s Personal Data Protection Act, it is already mandatory for organisations to appoint DPOs. But the city state is keen to take it one step further.
“The DPO is critical to the success of every enterprise in the digital age,” Iswaran says. “Businesses with capable DPOs will enjoy a competitive advantage, by maximising data-sharing partnerships while ensuring trust and accountability.”
Modelled on the SkillsFuture framework, the DPO competency framework describes a set of skills and the different proficiency levels needed for DPOs.
The training roadmap will identify the courses that DPOs need to undergo as they advance from an entry-level proficiency to higher levels required for those with regional responsibilities.
According to Iswaran, the new framework can also serve as a guide for business owners and human resource managers to structure data protection functions and make hiring decisions.
“In this day and age where the digital world is intrinsic in our everyday lives, data protection is an imperative. There is an increasing need to help train and identify our DPOs in the core competencies necessary for them to succeed,” says Joel Tan, head DPO at menswear label Benjamin Barker.
As a start, Singapore’s Personal Data Protection Commission (PDPC) is partnering the National Trades Union Congress (NTUC) to launch a 12-month pilot programme of data protection-related courses from 4Q2019.
“Leveraging Singapore’s brand of trust, data protection can be one of the key areas in which Singapore and Singaporeans can set local and global standards,” says Patrick Tay, assistant secretary-general of NTUC. “This will help provide new career opportunities and career progression pathways for our workers.”
On top of the new initiative for DPOs, Iswaran also announced the appointment of IMDA as Singapore’s accountability agent for the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors systems certifications.
The systems will provide robust data protection standards to ensure that data is exchanged and used responsibly in cross-border data flows to other certified organisations. The city state is only the third economy to operationalise the system, after the US and Japan.
PDPC says these certifications will complement IMDA’s DPTM certification. DPTM-certified TRS Forensics, which has offices in Singapore and Kuala Lumpur and expects to operate in Shanghai soon, has indicated that it will be applying for the APEC CBPR certification.
“Our teams in different offices often work together on some regionally sourced engagements, which may involve data flow across borders. It is therefore important for us to go through the certification to ensure we meet the required standards,” says Tan.
Recently, PDPC also launched a Guide to Accountability in personal data protection, which sees a shift in emphasis from an “increasingly impractical and insufficient” compliance-based approach towards an accountability-based approach.
“Amid a business environment that is constantly disrupted by technology, it is impractical to adopt the approach of a box-checking exercise when handling personal data,” says PDPC commissioner Tan Kiat How. “In fact, a simplistic and rigid approach would do more harm than good in the long term.”
The guide covers accountability in three broad areas: within an organisation, within the industry and in enforcement. It includes examples and resources that organisations may use to translate accountability concepts into practical steps it can adopt.
“The way data is being used will continue to evolve as technological changes bring about new opportunities and complexities,” says Iswaran. “It is only through strengthening our capabilities and forming trusted connections that we can adapt and thrive in the data-driven age.”