SME organisations are usually resource-strapped and there may be a misconception that data protection requirement is less stringent on them. The law is impartial and does not state such a difference in treatment. This is especially in the digitalised economy where work, transactions and interactions require personal data.
Infocomm Media Development Authority (IMDA) recognises the struggles that SMEs face when it comes to data protection. Hence, their development of a programme titled DPaaS@SMEs. The DPaaS@SMEs Programme (DPaaS@SMEs) makes it easier for SMEs to outsource data protection functions and helps SMEs in strengthening their data protection capabilities. It provides basic data protection practices to SMEs to enhance consumer trust and maximise business value.
Key components of the DPaaS@SMEs Package include:
1. Data Protection Management
2. Data Breach Management
3. Training and Communications
With DPaaS, businesses can enhance their data protection practices and support with security and flexibility of recovery options through a variety of features that are available. In essence, this is the start of their Data Protection Management Programme (DPMP).
While IMDA has introduced this, other companies have their own DPaaS flavour as well.
The demonstration of responsibility towards the care of personal data is not just measured by an understanding of Legal Clauses. It is measured in the effort invested in mitigating the risk of data breaches. This can be seen as an efficient implementation using a top-down approach, ongoing operational compliance as well as regular training and awareness sessions.
This is required in the organisation where personal data is collected, used, disclosed and stored (CUDS). At every point, the organisation has to have policies and procedures to:
In essence, the “GAPSR doughnut” summarises a Data Protection Management Programme
No matter how big or small your organisation may be, getting started with a Data Protection as-a-Service (DPaaS) package is a good place to begin your data compliance journey.
Before attempting to tell stakeholders and regulators that it is responsible for the data entrusted to it, the organisation must do its best to operationalise the above data protection measures.
Article By: Straits Interactive DPaaS Team, firstname.lastname@example.org
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region