Spotlight On... Ann Tan, a DPO who has advanced her career in data protection and compliance

In this edition, we feature Ann Tan Dip in Compliance and Adv Dip in Data Protection FIP CIPM CIPP/A EXIN (GDPR, INFOSEC).

Please share with us about your background

I started my career by joining DBS Bank as a Relationship Manager. After 12 years of doing sales, I moved on to take on a corporate role in the Bank's Consumer Banking. I was with the Bank for 19 years. I then joined Promiseland Independent Pte Ltd in September 2009, starting out in Administration and Operations Executive before moving into Compliance. 

On 1 May 2015, I was promoted to Senior Compliance Officer and double-hatted as Data Protection Officer (DPO). In February 2017, I was promoted to Director, Compliance.

How is it that you got interested in data privacy/protection? When did you first get involved and exposed to the importance of data privacy?

When I was appointed to be a DPO, I realized that I was very lacking in the knowledge of this area and find it hard to perform my role. I went online to search on Data Protection but none of the articles or write-ups could really help me perform my role in our local context.

During one of my online searches, I came across Straits Interactive Pte Ltd website and saw the a programme on Hands-on Data Protection Officer Training Programme. I spoke to my Management to sponsor me for this programme and subsequently I completed this programme on 20 November 2015. This course allows me to gain a wide understanding on what Data Protection is all about.

What data privacy courses did you take from Straits Interactive /DPEX network and why? How was that different from other courses you took?

I attended courses and attained the following certifications:

1) IAPP Certified Information Privacy Manager (CIPM) on 25 April 2017.

2) IAPP Certified Information Privacy Professional / Asia (CIPP/A) on 18 April 2019.

3) SMU Certificate in Data Protection Operational Excellence on 18 January 2019.

4) SMU Certificate in Data Protection Principles on 21 February 2020.

5) SMU Advanced Diploma in Data Protection on 21 February 2020.

In addition, I was admitted as a IAPP Fellow of Information Privacy (FIP) on 28 May 2019.  For 1) to 5) above, the courses were conducted by Straits Interactive. I loved attending Straits Interactive courses as I find them very interesting, challenging and rewarding. I have learnt a lot not only from the trainers but also from all the participants who comes from different background. The courses are structured to make learning fun, fruitful, interactive and there were numerous sharing by everyone. The learning has helped me to understand and will definitely helped me not only in my areas of work but also in the areas as an Individual. To me, this has been a truly invaluable learning experience. I have learnt so much from everyone’s constructive inputs throughout each and every courses that I attended. All their courses have greatly exceeded my expectations significantly.

What is your current job role? Which privacy functions are you involved in?

In Promiseland, Data protection and privacy related matters falls within the purview of the Compliance Division which I am currently overseeing and is accountable for this area. I also provide guidance and supervises my 2 Compliance Officers. My area of work include coming up with policies, conducting training to educate, create awareness and complaints handling. I also take care of the enforcement areas should any staff or sales representatives who does not comply or breached any of our policies.

I drafted and implemented my Company's Privacy Statement, Information Technology Policy and Privacy / Data Protection Policy. I conduct annual review of the policies or as and when there are changes and update them accordingly. This involves administering the procedures and processes on our requirements on privacy / data protection and Do Not Call (DNC) related matters and conducting many trainings to management, staff and sales representatives on our policies. Minimally, the training is conducted annually and as and when we have new staff / sales representatives on board. In my training. I also cover enforcement cases that is found in PDPC website or in news articles.

To date, I investigated about 20 complaints related to privacy and data protection issues. Cases that were substantiated, we took disciplinary actions against the sales representatives involved.

As the DPO, I represent the Company and is the point of contact for all complaints and when dealing with our Regulators / Authorities mainly PDPC and Monetary Authority of Singapore (MAS) including queries, reporting, questionnaires, surveys and visits. I also represent our company to handle and respond to all internal and external PDPA-related enquirers and take note of areas of concerns and to highlight to Management.

How has the data protection knowledge enable you advance your career?

The organisation need to be steered in initiating its data protection programme. After attending these courses, I was able to put in place the relevant Policies relating to Data Protection. I also helped formed the DPO Steering Committee in my Company. I have gained the confidence when dealing with Regulators / Authorities / Staff / Customers / Business Partners / Vendors, etc. It has enabled me to conduct investigations promptly and effectively on all complaints that comes to my Company. We (Compliance Division) conducts random audit checks to ensure no personal data are left unattended. We have a Disciplinary Actions Policy in place and will take appropriate enforcement actions against any of our staff / sales representatives, where necessary. Reports on audit findings are submitted to Management on a bi-yearly basis and key risks areas are highlight to respective Division's Heads. I review all external vendors / business partners agreements / contracts in the areas of PDPA and sign off on the agreements. 

I also review all new / revised Consultation Papers, Notices, Guidelines, and Directives and implement them in our Company as deemed appropriate.   Upon identifying the gaps I am in a better position to initiated an intensive training on Data Protection by Straits Interactive/DPEX Network for all our Division Heads. The training was done in July / August 2019. It is important that I attend the external briefing / sharing and advisory sessions related to privacy / data protection. 

Being a practitioner, I do get invited to share my experiences in handling regulators, clients, staff, sales representatives, business partners etc. Eventually, I hope to pursue the role of a Consultant to be able to share my experiences and to work with others who needs helps in the area of Data Protection and Privacy.

What advice do you have for others?

Data Protection is an area that everyone must know and comply with, not only in Singapore but the whole world.

I strongly encourage everyone, even if you are not doing the role of a Data Protection, to attend any or all of the courses conducted by Straits Interactive to enhance your knowledge in Data Protection as an Individual.

For those who are in the Data Protection role, all the more you must attend these courses. With our numerous government funding, especially those who are 40 years & above, should seriously tap on these funding to attend these courses to enhance their understanding. Trust me - this is a good investment and you will not regret attending these courses.

What practical advice would you offer to those wanting to implement a data protection management programme in their organisation?

Before a DPMP can be implemented, we need to first get Management buy in. We must also understand our organisation business model, individual divisions structures and appoint key personnel from each division to represent in a committee.

Once this has been established, we can then customise our personal data protection policies and practices to our organisation needs and structure.

DPMP is a standard system framework to help organisations put in place a robust data protection infrastructure which covers Policies, Processes and People in the organisation. DPMP helps an organisation to demonstrate accountability in data protection, expectations & sound practices by all employees within an organisation, provide confidence to stakeholders and foster trusted relationships with customers and business partners.

DPMP should be supported by strong governance and robust risk awareness:

• Board and Senior Management set clear risk appetite and tone from the top for effectiveness.
• To allocate clear responsibilities and drive continual enhancements.
• Good practices are embedded through training, performance frameworks and compensation practices.
• Key risk understanding and red flags are continually reviewed and updated.

Any final words or thoughts?

Being a practitioner, I do get invited to share my experiences in handling regulators, clients, staff, sales representatives, business partners etc.  In fact, there was a complaint against one of our sales representatives that was enforced. For this complaint, we were able to put up a case to PDPC to anonymise our Company name as the fault does not lies with our Company. We had all the policies, standard operating procedures and processes in place when this complaint happened.  Our Management was very happy when PDPC agreed to our request (we were the first company to do so and the request was granted, I heard). The case was subsequently made public on PDPC website without any mention of our Company name. This case was also published in the newspapers. Eventually, I hope to pursue the role of a Consultant to be able to share my experiences and to work with others who needs helps in the area of Data Protection and Privacy. Last but not least, I would like to say a BIG THANK YOU to my Managing Director, David Choo for his confidence in me and to Kevin, Alvin, Celine and everyone at Straits Interactive for making the above possible for me.

By -  Leong Wai Chong (GRCP)

Editor's note: Information correct at time of publication.