fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

Expedited Data Breach Decision: PDPC Guide on Active Enforcement

Expedited Data Breach Decision
The PDPC may consider an Expedited Data Breach Decision if the organizations involved makes an upfront admission of culpability for its role in causing the breach.

Expedited Data Breach Decision: PDPC Guide on Active Enforcement

The Personal Data Protection Commission (PDPC) published a Guide on Active Enforcement on May 22, 2019, signaling a shift in how the PDPC will approach enforcement actions in the future.

There are three primary enforcement tactics under the present approach outlined in the Advisory Guidelines on the Enforcement of Data Protection Provisions. When appropriate, PDPC could use alternative dispute resolution processes such as mediation and assisted negotiations in resolving what appears to be primarily a dispute between the parties. In the alternative, the PDPC could launch investigations, which would entail the PDPC using its statutory powers of investigation under the PDPA to gather facts and make a conclusion. Finally, if the organization has judged personal data access and/or correction, the PDPC may review that decision.

Voluntary undertakings and accelerated decisions are two more intermediate enforcement methods described in the Guide that may be pursued in lieu of a full investigation. Previously, neither the Guidelines nor the PDPA specifically stated this. The Guide explains the extent of these additional alternatives as well as the situations in which the PDPC will use either enforcement option when investigating a breach.

This update is for organizations that want to better understand the new enforcement alternatives that have become available and the procedures that should be performed ahead of time to preserve the opportunity for an organization to seek an undertaking.

Also Read: Guarding against common types of data breaches in Singapore

The PDPC published a Guide on Active Enforcement signaling a shift in how the PDPC will approach enforcement actions in the future.

Undertaking 

An undertaking is a written commitment made by the organization to the PDPC that voluntarily commits the organization to correct the violations and take actions to prevent future occurrences.

In most cases, an undertaking is available when:

1. It delivers a similar or better enforcement outcome for the PDPC than a comprehensive investigation; or

2. The organization can demonstrate that it has accountable data privacy practices in places, such as a Data Protection Trustmark (Trustmark) and an effective repair plan that it is ready to apply. 

Steps to reduce the occurrence of the incident and the development of monitoring and reporting mechanisms, audits, and policy/process evaluations should be included in the remediation plan.

A typical undertaking will include a summary of the data breach incident as well as efforts to notify and minimize harm to the impacted individual(s). The PDPC also expects the organization to have executive-level support for the undertaking, which requires the undertaking to be signed by the CEO or someone of equivalent status.

The Guide also includes examples of situations in which the PDPC will not accept an undertaking request. For example, the PDPC will not accept an undertaking request if the organization denies responsibility for the data breach occurrence, refuses to accept the undertaking’s terms and conditions or agrees to the undertaking’s publication. In particular, a request for an undertaking must be submitted immediately after the investigation begins, and the organization must have a remedial plan ready. The PDPC will not accept a request for an endeavor that necessitates more time to develop a remedial plan.

The Guide also includes examples of situations in which the PDPC will not accept an undertaking request.

Of the two conditions in which an endeavor is a realistic alternative, the second is partly within the organization’s control and can be planned for. This necessitates that organizations be prepared to demonstrate excellent accountable privacy policies ahead of time. Organizations that have conducted scenario planning and exercises to respond to data breach situations will be better positioned to produce a remediation plan when investigations begin quickly. Organizations that have gone the extra mile to achieve a Trustmark certification are also in a better position to seek a project.

This highlights the necessity of having documented protocols in place and organizational preparedness in dealing with possible data breach situations.

Expedited Data Breach Decision 

The PDPC may consider an expedited determination if the organization(s) involved makes an upfront admission of culpability for its role in causing the breach. The organization must submit a written request to the PDPC and provide and admit all information pertinent to the data breach occurs. In general, the PDPC will consider an accelerated decision if the breach involves the failure to designate a data protection officer or establish a privacy policy or if the nature of the data breach is similar to precedent instances with similar factual categories.

An accelerated decision shortens the time it takes to complete an investigation. Although the PDPC will still issue a full judgment (including the applicable directives), admitting guilt will be a significant mitigating if financial penalties are involved.

When a data breach has a substantial impact, the PDPC will normally initiate a complete investigation right away.

Full Investigation Process 

When a data breach has a substantial impact, such as when a large number of people are affected and the personal data released potentially cause considerable harm, the PDPC will normally initiate a complete investigation right away. Investigations that have been determined to have a low impact may be terminated.

If the PDPC finds a violation, the PDPC may impose: (i) a warning; (ii) just directions; (iii) only financial penalties; or (iv) both directions and financial penalties.

Also Read: What you need to know about appointing a Data Protection Officer in Singapore

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us