Hot on the heels on my report that the PDPC’s enforcement priorities have evolved, the PDPC has made what might be the biggest change to its advisory guidelines yet. The “Openness Principle” is now the “Accountability Principle“. A name change or something completely new?
The “old” principle#
When I give training on the principles of data protection, the then “Openness Principle” is usually dealt with last. This was also the last topic in the Main Advisory Guidelines.
The openness principle basically consists of two ideas:
- Every organisation must appoint a Data Protection Officer and make the officer’s contact details public.
- Have policies and practices to comply with the PDPA.
In the trainings I usually conduct for employees, this is covered very quickly. It’s no wonder. After saying that there is a DPO and there are policies (why am I giving training then?), there’s no much to say.
From “Openness” to “Accountability”#
If you can grasp the two key ideas in the “openness” principle, you will be at home with the new section on accountability. The key ideas are still there. It is still about appointing a DPO. It is still about having policies and guidelines.
So is this just a marketing exercise? I agree, but in a good way.
- “Openness” made sense when the PDPA first came out. It was about making sure that data protection efforts by an organisation can be seen. You could ask and the organisation would respond. In this nascent field, this was an achievement.
- However “Openness” also just meant you have to be “open”. I could appoint a DPO. He could be the HR guy or some other hapless dude. As long as there was an “open” window, we would be fine. Put up some policies and be done with it.
- This checkbox attitude would never prevent a data breach. In fact, if an organisation tried to argue its way out of a penalty by claiming it was as open as the PDPA said it should, it would make a mockery of PDPA.
Accountability should then be seen as an upgrade on openness. The language is now about compliance. “Accountability under the PDPA requires organisations to undertake measures in order to ensure that they meet their obligations under the PDPA and, importantly, demonstrate that they can do so when required.”
I hate to say that this is hardly surprising, and any one who follows this area closely knows this was coming.
It is most interesting thatthe first major change to the Advisory Guidelines is squarely aimed at senior management. Openness or Accountability is not for employees. The people who appoint DPOs and enact policies and guidelines are management. Hopefully the news would enable management to reassess their compliance obligations and enact changes quickly if necessary.
Any incentives to comply?#
In one of the most interesting sections on the Accountability Guide, the PDPC writes:
An organisation that has detected a data incident early and demonstrated that it has established processes to respond to it quickly and effectively may submit to the PDPC an undertaking to voluntarily commit to implement its remediation plan and resolve the breach.
Guide to Accountability, Page 18
This sounds like a get out of jail (almost) free card, doesn’t it? If you are not convinced, think about this. With the upcoming rules on data breach notification, increasing focus on DPOs and data protection policies and penalties for data breach being aggravated by the lack of such compliance, this may be an invaluable tool.
I am still a bit skeptical right now though. The penalties are still too low for management to notice. A data protection compliance program will become too narrow due to the several exclusions. One might question the commitment of regulators to their principles if they come down too hard on the tech industries which Singapore desperately wants to attract.
Victories aren’t won in a day though. We can take what we get today.
The latest PDPC Amendments in 2020 now walks the talk. Check out my sticky post outlining the big changes on its own way to the PDPC.