fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Understanding The Data Intermediary In Data Protection

data intermediary

Under the PDPA, an organisation that engages a data intermediary to process personal data on its behalf will have to ensure that is in compliance with the PDPA.

Understanding The Data Intermediary In Data Protection

Under the PDPA, an organization that engages a data intermediary to process personal data on its behalf will have to ensure that such processing is in compliance with the PDPA. The data intermediary will also have to ensure compliance with the PDPA. However, the PDPA does not directly impose most of the data protection obligations on a data intermediary which is processing personal data on behalf of another organization under a written contract, except for the obligations relating to the security and retention of the personal data.

Meeting the Protection Obligation with Reasonable Security Arrangements

A data intermediary must make “reasonable security arrangements” to protect personal data from unauthorized access, collection, use, disclosure, or any similar risks, even though it is processing the personal data on behalf of another organization.

PurpleForest, for example, ensures that all its employees’ laptop accounts are locked such that only the IT administrator can access the system and install any software and programmes.

“This ensures that Trojans or potential data stealing malware occurrences are kept to a minimum. It also stores its data with a corporate cloud service provider that adheres to the ISO/IEC 27001 standard for information security management.”

Mr Soh

As an additional measure, scheduled security scans are set up by the cloud service provider and within the employee’s own computer system to automatically detect malware. These security scans are conducted every two days. A compulsory password change is also enforced by the cloud service provider every three months, reducing the likelihood of external hacking. The passwords are required to include alphanumeric characters and symbols and have to be eight characters long.

One common challenge that organizations face is the need to ensure that all their employees are aware of the importance of personal data protection and the policies and processes that they have to adhere to.

Ensuring All Employees Are On Board Ensuring All Employees Are On Board

One common challenge that organizations face is the need to ensure that all their employees are aware of the importance of personal data protection and the policies and processes that they have to adhere to. At MC Payment, besides having in place a User Management Policy, which governs data protection and access control processes, employees are briefed on any newly implemented data protection policies and processes, and their acknowledgment of these policies are tracked and recorded. In addition, MC Payment also makes it compulsory for employees to attend in-house and external training on data protection.

Also read: 4 easy guides to data breach assessment

No “One Size Fits All” Solution

There is no “one size fits all” solution for the protection of personal data by data intermediary – each organization is urged to consider adopting security arrangements that are “reasonable and appropriate” in their own circumstance. The measures taken will depend on various factors such as the nature of the data, the form in which it has been collected, and the possible impact on individuals should the personal data fall into the wrong hands.

There is no “one size fits all” solution for the protection of personal data by data intermediary – each organization is urged to consider adopting security arrangements.

Meeting the Retention Obligation

Besides putting in place security arrangements to protect personal data, all data intermediary are also required to meet the Retention Limitation Obligation under the PDPA. This means that they have to cease retention of documents containing personal data, or remove the means by which the personal data can be associated to specific individuals, as soon as the retention no longer serves the purpose the personal data was collected for, and is no longer necessary for legal or business purposes.

Setting Out the Responsibilities and Obligations

Under the PDPA, organisations are ultimately accountable for personal data that is being processed on their behalf by their data intermediary. As they hand over the data to a third party for processing, therefore, it is important that they include provisions in their written contract to clearly set out the data intermediary responsibilities and obligations to ensure compliance with the PDPA.

A data intermediary is fully responsible under the PDPA for other activities which do not constitute processing personal data on behalf of another organization under the written contract, e.g. collecting any personal data on its own accord or using personal data for its own purposes, or any processing of personal data on behalf of another organization that is not pursuant to a contract made or evidenced in writing.

Also read: Privacy policy template important tips for your business

CONSULT US TODAY

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us