A non-profit organisation is usually set up for cause that benefits the wider community and is usually not quantifiable by monetary gains hence, not profit driven. E.g., providing services to the disadvantaged in society, environment issues, animal rights. These organisations are usually resource strapped and there may be a misconception that data protection requirement is less stringent on them.
The law is impartial and does not state such a difference in treatment. Often organisations that “do good” also collect, use, disclose and store a great deal of personal data, and would be subject to similar risks as commercial, profit-motivated organisations. This is especially in digitised economy where work, transactions and interactions require personal data.
The true cost of non-compliance may extend beyond just a financial penalty from the regulator.
From the regulator(s), the following may arise:
a. Fines or Financial Penalty.
In Singapore, fines are intended to act as a form of sanction and deterrence against non-compliance when Directions alone do not sufficiently reflect the seriousness of the breach. In considering whether to direct an organisation to pay a financial penalty, the PDPC will take into account the seriousness of the incident of the breach. In assessing the seriousness of the breach, the PDPC considers the following:
Impact of the data breach, which may be factored by the number of affected individuals and/or types of personal data that were compromised or put at risk as a result of the breach.
b. Warnings, directions, and undertakings.
In Singapore, it is very much at the discretion of the regulator but 2 important considerations whether the organisation may carry out with then undertaking is when:
Other ramifications of non-compliance which may increase the true cost could include:
c. Breach of Director's Duties and Shareholders Suits
d. Litigation by Individuals
e. Criminal Prosecution
f. Reputational harm/damage Share price
g. Loss of customer & stakeholder trust
h. Remedial expenses
The demonstration of responsibility towards the care of personal data is not just measured by understanding of Legal Clauses. It is measured in the effort invested in mitigating the risk of data breach. This can be seen in efficient implementation using a top-down approach, on-going operational compliance and well as regular training and awareness sessions.
This is required in the organisation where personal data is collected, used, disclosed and stored (CUDS). At every point, the organisation has to have policies and procedures to:
In short, the “GAPSR doughnut” summarises a Data Protection Management Programme
In setting up the DPMP, the organisation can do it internally through a trained DPO. This requires the DPO to be well-trained with setting up the DPMP which requires the co-operation of all staff or department handling personal data. There are courses and a training roadmap is available.
Alternatively engage data protection service provider, i.e. Data Protection as-a- Service (DPaaS). However, the organisation is still responsible for the data it controls.
Organisation can do a quick self-diagnostic to assess what it needs in the DPEXNetwork website.
Only when the organisation has done its utmost operationalising the above care for personal data can the organisation give an account to the stakeholders and regulators that it is responsible for the data entrusted to it.
Article By: Wendy Lim, Info Sec (EXIN), CIPM and Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…