chapter 5

Question 1

what is data Protection Management Programme

Answer 1

–> builds a strong foundation for data protection within the organisation

Question 2

DPMP FULL FORM

Answer 2

data Protection Management Programme

Question 3

what are DPMP SECTIONS

Answer 3

governance and risk assessment

policy and practices

processes

maintenance

Question 4

what is the purpose of the DPMP

Answer 4

–> Helps organizations demonstrate accountability in data protection

–> Stakeholders and Regulators: Ensures compliance with data protection regulations and addresses the concerns of stakeholders and regulatory bodies

–> Customers and Business Partners: Builds trust and confidence by safeguarding personal data and respecting privacy rights

–> Business Competitiveness: Enhances competitive advantage by demonstrating a strong commitment to data protection and establishing a positive brand image

Question 5

what are the 2 aspects in governance and risk assessment

Answer 5

Governance Structure

Values Risk Assessment

Question 6

what is the role of Senior Management

Answer 6

1. Defining corporate values that are aligned with data
   protection
2. Allocating resources to data protection
3. Appointing a Data Protection Officer (DPO)
4. Managing personal data protection risks
5. Providing guidance on data protection initiatives
6. Supporting data protection policies and programme
7. Commissioning Data Protection Impact Assessments
8. Advocating data protection training
9. Providing directions to the DPO

Question 7

what is the role of data protection officer

Answer 7

Implementing policies and processes for handling personal data

Fostering a data protection awareness and culture

Managing personal data protection

Communicating to management of any data protection
related risks

Liaising with the PDPC

Question 8

it is __________ to appoint a data protection officer in singapore

Answer 8

compulsory

Question 9

who does the DPO report to ?

Answer 9

chief internal audit

chief legal officer

Question 10

The DPO operations may be outsourced to a service provider, however the DPO responsibility remains with _____________

Answer 10

a member of the senior management

Question 11

what is data protection as a service

Answer 11

when the DPO operations are outsourced to a service provider

Question 12

Protecting personal data is the responsibility of
______

Answer 12

everyone in the organization

Question 13

what is the Culture of Accountability and Staff Training

Answer 13

1. Personal data protection education for all staff, from Board to Senior Management to Staff
2. Trainings and briefings on personal data protection should be tailored to job functions
3. Regular staff communication circulars to include personal data protection topics

Question 14

what should the senior management have an understanding of ?

Answer 14

Senior management should have an understanding of risks and review how risks affects the organisation

Question 15

what are the 4 types of risks

Answer 15

Strategic
*Affects achieving company strategic objectives
*e.g. governance, strategic planning

Operational
*Affects organisational operations
*e.g. sales and marketing, production

Compliance
*Affects organisational compliance with regulations
*e.g. legal, code of conduct

Financial
*Affects organisational financial process
*e.g. reporting, tax

Question 16

To manage risks, senior management should ensure that data protection is incorporated into their___________

Answer 16

Risk Management framework

Question 17

what are the 3 things needed for corporate governance

Answer 17

policies

practices

communication

Question 18

what are the 2 data privacy policies

Answer 18

To comply to Personal Data Privacy regulations

To set expectations for individuals

Question 19

what are the Policies that needs to be explained

Answer 19

What data is collected

Why the data is being collected

What do you plan to do with the data

Contact details for any questions or concern

Question 20

what are the Policies that needs to be understood

Answer 20

Use plain language
Frequently Ask Questions
Structured for the user
Easily accessible

Question 21

what is Data Protection by Design

Answer 21

Practicing personal data protection throughout the project’s operational life cycle

Question 22

benefits of Data Protection by Design

Answer 22

Identifies personal data protection issues early

Increases personal data protection awareness

Complies with PDPA obligations

Question 23

what is Data Privacy Communication

Answer 23

Organisations should ensure that personal data protection policies are communicated clearly and upfront

Question 24

different ways of communication

Answer 24

Notification
*Publish policies and other information in simple language
*Use relevant channels (e.g. websites) that are easily accessible

Consent
*Ensure that users understand what they are consenting
*simple and clear consent clauses at appropriate touchpoints

Policy Updates
*Communicate any policy or service updates
*Communicate separately from other marketing messages

Interaction with Users
*Ensure staff interacting with users are trained in policy content
*Ensure staff sensitivity in handling data privacy feedback and queries

Access, Correction, and Complaint Handling
*Provide accessible channels for users requests
*Ensure proper processes and prompt response

Question 25

what are the 3 processes

Answer 25

Risk Identification and Mapping

Risk Remediation and Controls

Risk Reporting and Breach Management

Question 26

what are Risk Remediation and Controls

Answer 26

To implement of systems-based or process controls

Question 27

what are Risk Identification and Mapping

Answer 27

To identify and map risks relating to personal data

Question 28

what are Risk Reporting and Breach Management

Answer 28

To monitor and report occurrence of risks and breach To implement of systems-based or process controls

Question 29

what are the 3 tools used for identifying and mapping risks

Answer 29

–> Data Inventory Map – cataloguing personal data that
includes, collection, use, disclosure, storage, disposal

–> Data Flow Diagram – depicts the movement of that
data through internal systems and external transfers

–> Risk Register – records risks associated with the
personal data and how it is used, likelihood and
consequences of risk occurring

Question 30

what are 5 Risk Remediation and Control

Answer 30

• Identify where personal data is stored
• Determine level of security controls required
• Apply controls on systems/infrastructure that stores
  personal data
• Implement process controls to approve, review and
  manage access rights
• Build data protection measures during the software
  development lifecycle

Question 31

how can you manage a data breach (Risk Reporting and Breach Managemen)

Answer 31

To manage breach by
* Containing the breach
* Assess the risk
* Reporting the incident
* Evaluating appropriate response and recover procedures

Question 32

what are the 3 steps in monitoring

Answer 32

review

audit

monitor

Question 33

what happens in Reviewing Policies and Practices

Answer 33

Changes in environment may require revisions to
data protection policies and processes.

Organisations will have to decide whether the reviews
should be applied immediately or periodically

Question 34

when should the immediate reviews happen

Answer 34

Major data leakage incident

Legislative or regulatory amendments

Organisational changes

Question 35

what are the periodic changes

Answer 35

Revision of data protection policies and
processes at regular intervals

Batch review of occurrences of minor
incidents

Question 36

how should organisations conduct an audit monitor

Answer 36

Organisations can conduct an audit monitor and
evaluate the overall implementation of their data
protection policies and processes

This could be done by
* An internal audit on a periodic basis
* An ad-hoc inspection or walk-through
* Obtaining and maintaining certifications for the
organisation’s data protection measures

Question 37

what should a organization do to monitor changes

Answer 37

Organisations need to keep up to date with
changes and developments within and outside
the organisation

Question 38

what does the external monitoring environment include

Answer 38

Amendments to regulations

Data best practices or data incidents in
other organisations

Technological changes or emerging
technologies

Question 39

what does the internal monitoring environment include

Answer 39

New or updated systems or processes

New business model

Data incidents or feedback/complaint