Areas Organisations Should Take Care Of - Privacy Culture

What are the areas that an organisation should take care of? The “culture of privacy”.

14 Oct, 2020

It cannot be reiterated enough: personal information is property that belongs to the consumer, which companies must handle with a certain duty of care.

That makes privacy compliance a much more complex challenge. Companies need to think more about what's best for the consumer as we handle personal data, as well as how to accommodate the consumer and the rights he or she might exercise under various privacy regulations. 

In short, businesses need to make a "culture of privacy" more of a priority, in much the same way anti-corruption activists like the Integrity Initiative and partners stressed the importance of a culture of compliance in the 2010s. A culture of privacy and security will be the watchword for the 2020s.

It forces deeper changes in business processes, policies, and corporate awareness of privacy - and any time we talk about changes in policy, procedure, and corporate culture, the compliance function is crucial to that. 

Now let's get more practical.

When you translate those goals into capabilities that the company must have to get the job done, several emerge as the most important.

Data Management

The regulation includes a list of specific types of information within the scope of the Data Privacy Law (DPA) - names, email addresses, photos, audio recordings, Internet search history, biometric data, and more - plus the catch-all "any information that can reasonably be associated" with a specific person.

The most fundamental compliance capability is simply to understand what personal data your company collects. Where does that data enter your extended enterprise? What business processes touch it? What third parties touch it? Where is the data stored? 

Assessment and Monitoring of Third Parties.

Oversight of third parties is not a new capability per se, but the DPA pushes the need for that capability to new heights. For example, it draws a distinction between "service providers" and other third parties. A service provider receives personal data from your business as part of a written contract, to execute a specific task for you: write a legal brief, host a website, run payroll, and so forth. 

This means compliance functions will need to sharpen their assessment of third parties, to understand the exact business relationship and assure that it meets all the criteria for service providers. 

Building Compliance Business Processes

Remember, the DPA gives residents certain rights to their personal data. For example, under the DPA consumers have a right to see the data that a company has collected about them. Consequently, companies need to devise policies and procedures to fulfill that right: a way for consumers to submit the request, procedures to identify all the relevant data, and a way to present that list of data back to the consumer. 

Well, security specialists have already identified bogus data access requests - where hackers pretend to be someone asking to see his data and dupe a company into sharing it. Companies will need to be aware of that threat and build identity-confirmation controls into their access request procedures. 

Likewise, consumers can ask for companies to delete their personal data.

These are only three capabilities a company will need to develop to achieve DPA compliance; we could discuss many more. Fundamentally, the DPA will require the compliance function to get more involved in structuring business processes, since so many business processes now involve at least some processing of personal data—and achieving DPA compliance is about handling personal data with proper care, at all times. 

Click here for leveraging on an integrated bundle of Data Protection Services that enable your organisation to train your DPO and setup Data Protection Management and Data Breach Management Programmes.

By: Henry J. Schumacher
Feedback is welcome; if assistance is needed, let me know. You can contact me at

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
What is the DPTM?

The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…

How Social Media Makes Or Breaks A Company In Cri…

Every day we are confronted with information on companies that allegedly did th…

“Testing, Testing and more Testing...” - A study …

After a couple of months’ hiatus, Singapore’s Personal Data Protect…