Client Success Story: TKQP

We speak to Karam Singh Parmar, Senior Partner and Chief Data Protection Officer (DPO) of TKQP Advocates & Solicitors, a full-service law firm providing legal services across a broad spectrum of industry sectors.

TKQP recently embarked on a data protection journey in consultation with Straits Interactive. In this feature for the DPEX Network community, Karam shares why an award-winning law firm places great importance on protecting the personal data of their clients and partners.

Tell us more about TKQP and your roles there.

I am Karam, Senior Partner and Chief Data Protection Officer of TKQP. We are an award-winning legal firm registered in 2000. As Chief DPO, I helm TKQP’s data protection and compliance programmes, ensuring that we adhere to regulations.

TKQP provides a broad spectrum of legal services including dispute resolution, insolvency, restructuring, and investigations; corporate and commercial transactional work; insurance; and real estate.

The nature of our business requires us to handle a significant amount of confidential and highly sensitive personal data on a daily basis. We need a very robust framework of policies, procedures, processes and measures to uphold privacy laws and protect that personal data.

What was your data protection strategy and why did you decide to engage Straits Interactive as a consultant?

Previously, our company did not have a structured data protection programme or a formal data protection team. Our measures were somewhat haphazard and not as effective as they should have been. In truth, we lacked a proper strategy. Our lawyers and staff were roped in to help out on an ad-hoc basis.

After we started working with Straits Interactive, our entire approach to data protection has changed. Our management has made data protection a priority. We formed a Data Protection Committee comprising four DPOs and seven data protection managers (DPMs). Every single department was represented by a DPM on the Committee.

Data protection decisions and measures were readily disseminated throughout the firm and uniformly implemented by everyone. DPOs oversee and supervise all data protection issues, while DPMs manage data protection measures at a more granular level. All our DPOs and DPMs have undergone data protection training.

What were some of the challenges in implementing your data protection strategy and how did you and your team engage various stakeholders in the process?

Getting the various stakeholders involved was not difficult as this was a project initiated and driven by top management. We had their full support. We are fortunate that our senior management recognised the importance of data protection and continues to be very involved and supportive of our data protection management programme.

Financing was a challenge. To this end, Straits Interactive’s assistance and advice on securing government funding made it possible for us to embark on this exercise in the way that we did. The next challenge was securing a core team of dedicated individuals that do all things necessary to make the programme work. Till today, TKQP does not have one dedicated DPO. All four DPOs and all other members of the Committee continue to have their regular duties with the firm.

Hence, they had to spend a significant amount of time outside of normal working hours learning about data protection laws, regulations and requirements; consolidating all personal data that we hold and the associated risks into a central data inventory repository; charting the flow of personal data of all the relevant processes within our company; assessing and treating the risks based on our risk identification; implementing additional policies and SOPs to address identified data protection gaps; and distributing the policies and SOPs to our employees.

The greatest challenge is still getting the rank-and-file staff to buy into the project – to see the need for a robust data protection system. Forcing staff to comply with policies and SOPS and/or threatening sanctions for non-compliance is of limited benefit if the mindset does not change.

Data protection measures have to be accepted as a necessary (and important) norm and not as a burden. We found various ways to engage the staff and lawyers in the process. From encouragement, to training, to auditing, to rewarding – the Committee undertook a cocktail of measures to get the involvement and support of all stakeholders.

Why did you decide to work with Straits Interactive specifically and what were your considerations?

Whilst we, as a legal service provider, are well versed with the PDPA, we wanted to know how to operationalise the requirements of PDPA. Selecting a data protection consultant to guide and assist us, what was important to us were the nature and relevance of the services offered; the quality of the trainers/consultants; and the cost.

Straits Interactive ticked all the boxes; they were the right fit for us. In particular, their trainers had the expertise and experience, from working with numerous clients across a diverse range of industries. They met our expectations with the quality of their training. Post training, the follow-up advice and assistance from Straits Interactive enabled us to overcome numerous teething problems.

Straits Interactive also offered a privacy management tool, DPOinBOX, which enables us to perform a baseline assessment quickly; address compliance risks with an action plan; and improve our company’s operational readiness level. It has made it much easier for us to implement and operate our data protection programme.

All this puts Straits Interactive well ahead of other consultants.

What advice would you offer other organisations to make data protection a priority?

Let me stress that this was not a one-way initiative where Straits Interactive fed us everything we needed to know and do.

We had to collaborate and work as a team, from creating a data inventory map; to identifying risks and mitigating them; to ensuring that all employees read and understood all policies and SOPs relating to data protection; to implementing the plan and so on.

The advice we would give others is to ensure that their entire organisation buys into the initiative and work towards achieving the targets. It only requires one weak link to break the chain.