What is Data Protection-as-a-Service (DPaaS)?


SME organisations are usually resource-strapped and there may be a misconception that data protection requirement is less stringent on them. The law is impartial and does not state such a difference in treatment. This is especially in the digitalised economy where work, transactions and interactions require personal data.

Common Data Protection mistakes

  1. Data breaches are still happening despite the Pandemic. The organisation-wide data security protocols and firewalls are rendered less effective owing to the sudden transition to the Work-From-Home (WFH) model, resulting in far more data breach cases and ransomware attacks.
  2. Of the 10 obligations under Singapore's PDPA, the Protection Obligation was the most commonly breached obligation.
  3. Organisations still face a high level of risk in moving their operations online because many staff lacks awareness and training in data protection. The strength in any data protection management programme is only as strong as its weakest link. To a large extent, untrained staff and lack of awareness lead to callousness and may present a window where breaches can take place. Regular training, on the other hand, not only helps demonstrate accountability to Data Protection regulators but so also minimises risks.

IMDA introduces DPaaS@SMEs

Infocomm Media Development Authority (IMDA) recognises the struggles that SMEs face when it comes to data protection. Hence, their development of a programme titled DPaaS@SMEs. The DPaaS@SMEs Programme (DPaaS@SMEs) makes it easier for SMEs to outsource data protection functions and helps SMEs in strengthening their data protection capabilities. It provides basic data protection practices to SMEs to enhance consumer trust and maximise business value.

Key components of the DPaaS@SMEs Package include:

1. Data Protection Management

2. Data Breach Management

3. Training and Communications

With DPaaS, businesses can enhance their data protection practices and support with security and flexibility of recovery options through a variety of features that are available. In essence, this is the start of their Data Protection Management Programme (DPMP).

While IMDA has introduced this, other companies have their own DPaaS flavour as well.

Organisation’s Responsibility

The demonstration of responsibility towards the care of personal data is not just measured by an understanding of Legal Clauses. It is measured in the effort invested in mitigating the risk of data breaches. This can be seen as an efficient implementation using a top-down approach, ongoing operational compliance as well as regular training and awareness sessions.

This is required in the organisation where personal data is collected, used, disclosed and stored (CUDS). At every point, the organisation has to have policies and procedures to:

  1. Govern
  2. Identify and Assess risks
  3. Protect the data through a robust DPMP.
  4. Sustain the programme, through monitoring, updates and training sessions.
  5. Respond to queries/ incidents and have a drawer plan ready.


In essence, the “GAPSR doughnut” summarises a Data Protection Management Programme

No matter how big or small your organisation may be, getting started with a Data Protection as-a-Service (DPaaS) package is a good place to begin your data compliance journey. 

Before attempting to tell stakeholders and regulators that it is responsible for the data entrusted to it, the organisation must do its best to operationalise the above data protection measures. 

Article By:  Straits Interactive DPaaS Team, sales@straitsinteractive.com

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records


Join lively discussions on pertinent data protection topics


Gain access to data protection research and video resources


Receive value-added data protection updates from the region

Related Articles