Singapore Personal Data Protection Act (PDPA) Compliance

Protection of Personal Data, Section 24:

“An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —
(a) unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks; and
(b) the loss of any storage medium or device on which personal data is stored.”

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.3 c)

“Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, data protection, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

Prevalent enables organizations to assess and monitor their third parties based on extent of the threats to their information assets by capturing, tracking and quantifying inherent risks for all third parties. The outcome is a tiered and categorized list of vendors with an inherent risk score to inform further due diligence.

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.3 d)

“Be prepared and able to respond to information security breaches promptly and effectively”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive vendor reporting
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data

Advisory Guidelines on Key Concepts in the PDPA

The Data Protection Obligation, 17.4

In addition, it might be useful for organisations to undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate.

In so doing, the following factors may be considered:

a) the size of the organisation and the amount and type of personal data it holds;
b) who within the organisation has access to the personal data; and
c) whether the personal data is or will be held or used by a third party on behalf of the organisation.

Prevalent delivers a comprehensive third-party data protection risk assessment program that includes the following capabilities:

Discovery and Third-, Fourth- and Nth-Party Data Mapping
Prevalent offers scheduled assessments and a unique relationship mapping capability to trace data transfers between business relationships, identifying where data exists, where it flows, and who it is shared with outside the organization. The results automatically generate a risk register that highlights key areas of risk.

Self-Assessments
With Prevalent, organizations can conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. The PIA evaluates the origin, nature, and severity of the potential risk. It also provides recommendations to mitigate identified risks, ensuring future compliance with privacy regulations.

Vendor Risk Assessments
Prevalent assesses vendor data privacy controls against PDPA using the Prevalent Compliance Framework (PCF) and a dedicated PDPA survey. Specific questionnaire content helps to identify risks and map them to controls for a clear view of potential hot spots.

Risk Response
Prevalent automates risk identification based on thresholds set in the platform. This capability accelerates response with pre-built workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition.

Compliance Tracking and Reporting
Prevalent reports against PDPA using the Prevalent Compliance Framework (PCF). The PCF automatically maps risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to provide visibility into data security.

Continuous Breach Event Notification Monitoring
Prevalent provides access a database containing 10+ years of data breach history for thousands of companies around the world. It includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.