Policies, Procedures & Data Protection Officers
Have you appointed one or more persons to be data protection officers (DPO) responsible for ensuring that the data protection policies and procedures of your organisation are in compliance with the PDPA?
Do your DPOs know their roles and responsibilities in ensuring personal data is well-protected?
Is the business contact information of your DPOs made available to the public?
Do you have personal data protection policies implemented?
Is your organisation’s personal data protection policy made available to the public?
Do you have a procedure to receive, investigate and respond to complaints relating to PDPA and personal data breaches?
Do you make available information on your organisation’s complaint process on request?
Do your employees know your organisation’s personal data protection policies and procedures? (Especially employees handling personal data.)
In small businesses, the designated data protection officer (DPO) may be the owner or manager. In a larger organisation, the designated DPO may be someone on the management team or a specific data protection officer with the requisite seniority, authority and competencies for the role.
The designated DPO may delegate his/her PDPA related responsibilities.
Your employees should be trained on PDPA compliance and your PDPA policy. Employees in the marketing, computer security or database management departments may require specialised training to ensure PDPA compliance.
You should make your data protection policies and the business contact information of your DPOs (or delegated persons) publicly available.
There should be a process by which people can make complaints to you regarding PDPA matters.