July 12, 2018

Data Protection & Document Shredding Regulations

The Personal Data Protection Act (PDPA) requires all organisations in Singapore to appoint a Data Protection Officer (DPO). The DPO’s role is to ensure that the organisation adheres to data protection guidelines as stated in the PDPA. However, with the data security landscape constantly changing, for example with the EU General Data Protection Regulation effective 25 May 2018, many DPOs are wondering how best to protect their organisation’s and clients’ personal data.

Here are the top 5 things a DPO should do right now: 

1. Familiarise yourself with data protection and shredding requirements

In order to comply with the law, you need to know the rules well. With the mandatory DPO appointment required by the PDPA, organisations should familiarise themselves immediately if they have not done so already.

Organisations may face a fine of up to S$1 million if they fail to protect the personal data they hold. Furthermore, the new EU GDPR applies to all organisations based inside and outside the EU, which process information about EU citizens. With this potentially affecting many organisations in Singapore, DPOs need to quickly get their organisation up to speed on the requirements.

2. Attend a workshop for DPOs

A quick way for DPOs to familiarise themselves with the basics of implementing effective data security policies is to attend a DPO workshop. Alternatively, the Shred-it website provides useful resources to assist DPOs on how to abide by PDPC rulings as well as what the GDPR means for organisations in Singapore. Understanding how to protect confidential data is important as organisations could face hefty fines[1] under the GDPR, as high as 20 million euros or 4% annual turnover, whichever is higher.

3. Examine existing data protection practices

Once DPOs have familiarised themselves with guidelines laid out by the PDPC and the GDPR, they can proceed to examine data protection practices already implemented in their organisation. DPOs can identify departments that are most at risk of a data breach. For instance, human resource departments are often targeted by criminals because they store lots of personal data, such as resumes.

4. Implement new practices to protect all personal data

Given the frequency of cybersecurity breaches covered in the news, DPOs may be tempted to focus more on digital security however they should not forget about protecting physical data. DPOs should enforce measures like a Shred-it All policy and a Clean Desk policy to ensure that physical data does not get into the wrong hands.

5. Ensure that employees comply with the organisation’s data protection policy

Instituting new data protection practices is vital for every organisation. Ensuring that employees practice them daily is even more important. With many security breaches coming from within the organisation itself, DPOs need to help employees to ensure that they are protecting the personal data they process.

Start Protecting Your Business

An organisation that integrates personal data protection into its business processes can help reduce the risk of a data breach. Learn more about how Shred-it can protect your documents and hard-drives by contacting us for a free quote and security risk assessment.

[1] Networks Asia Staff (2017). ‘Why Singapore companies need to comply with the GDPR’. [online] Storage Asia. Available at https://www.networksasia.net/article/why-singapore-companies-need-comply-gdpr.1496113860 [Accessed 5 April 2018]