Any organization that handles or processes personal data of individual residing in Singapore need to comply with the Personal Data Protection Act (PDPA). Often such responsibilities are assigned to the IT department. Many tools and techniques of ITIL, a best practice for IT service management, can be refactored for facilitating the implementation of a PDPA, thereby enabling the compliant to the law. This presentation describes how ITIL's CSI approach can be used an approach for management a PDPA program.
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
ITIL CSI approach for PDPA Management
1. CSI Approach for PDPA
Compliant
Heng-Meng Tan (ITIL Expert, PMP)
June 8, 2017
2. PDPA Overview
In Singapore, the Personal Data Protection Act (PDPA) was in effective in 2014
PDPA regulates both the collection and use of personal data. The PDPA also
separately provides for the creation of a "Do Not Call" (DNC) registry, which allows
consumers to opt out of receiving marketing material from organizations
PDPA applies to all organizations. An organization, for the purposes of the PDPA, is
defined as any individual, company, association or body of persons, corporate or
unincorporated.
The PDPA applies if the data was collected, used or disclosed in Singapore. It is
immaterial that the organization in question is not located or formed in Singapore,
or that it is not recognized by Singapore law
Thus organizations, especially those incorporated or residing in Singapore, are in
urgent need to align their policy, processes and procedures to comply with the
requirements of the PDPA
3. Approach and processes for PDPA
implementation
PDPA dictates that organization must appoint a Data Protection Officer (DPO) to
ensure it comply with the Act
Many organizations has assigned their staff from the IT functions as the DPO, as IT
is playing an important roles in the storage, retrieval and custody of personal data
in the computer systems
Many IT people who attended my ”PDPA Classes” asked me to give them advice on
what framework, tools, techniques that they can use to implement PDPA
Many IT professionals are aware that many tools and techniques for ITIL can be
refactored for use to implement PDPA
4. Purpose of this presentation
To provide guidelines on how ITIL’s Continual Service Improvement (CSI) approach
can be used to implement PDPA in an organization
(NOTE: Many other tools and technique can also be used, these will be addressed
in other presentations)
5. ITIL CSI
Approach
ITIL CSI approach is suitable for
the implementation and
management of a long-term
program. It comprises 6 steps
as follows:
1. What is the vision?
2. Where are we now?
3. Where do we want to be?
4. How do we get there?
5. Did we get there?
6. How do we keep the
momentum going?
We use it to manage a program
for an organization to manage
program and project towards
Personal Data Protection Act
(PDPA) compliant.
What is the
vision?
Business vision,
mission, goals
and objectives
Where are we
now?
Baseline
assessments
Where do we
want to be?
Measurable
targets
How do we
get there?
Service and
process
improvement
Did we
get there?
Measurement
and
metrics
How do we keep
the momentum
going?
6. STEP1: What is the vision?
Establish
A vision of complete alignment of company policy, processes and SOPs
with PDPA
Scope of the project / program
Set High level objectives (e.g., zero of very few non-compliances or
customer complaints in 3-5 years time)
Governance and reporting structure of the Data Protection function
Get sponsorship and determine budget
Obtain senior management commitment
Output of this STEP: Long term vision & business objective
and management approval for the program
7. STEP 2: Where are we now?
Review, assessment or formal audit using preferred technique
Document existing inventory of procedures that deal with Personal Data using technique
such as the Data Inventory Map (DIM)
Identify gaps by comparing DIM against the PDPA checklist
SWOT analysis
Risk analysis and management methodology
The review should include
Organization culture and maturity (vis-à-vis personal data protection)
Processes, capability and maturity (vis-à-vis PDPA compliant)
People skills and competence in PDPA
Report with findings and recommendations
The output of this STEP: a portfolio of projects that should be carried out in the
next few years in order to achieve the vision in STEP 1.
8. STEP 3: Where do we want to be?
From STEP 2, a portfolio of projects is created. These project
should be described in terms of:
Value to the business
Cost of implementation
Risk
Priority
Using techniques such as portfolio analysis, select the projects
for the next step (e.g., projects for the next 3-6 months)
Output of this STEP: A list of projects selected for
implementation as well as the intended measurable targets
for each project
9. STEP 4: How do we get there?
Develop a plan for implementation of projects selected in
STEP 3
Initiate and kick-off projects in accordance with the plan
Outputs of this STEP include deliverables such as:
Personal Data Protection Policy
SOPs for handling personal data
Staff awareness on the need for personal data protection
Trained staff who are capable of operated the newly developed
SOP
10. STEP 5: Did we get there?
Measurements for all projects must be designed before implementation
Typical targets might be
X% reduction in PDPA non-conformances
X% increase in customer satisfaction
Checks and reviews of the status of the projects should identify
Did we achieve objectives?
Are there lessons to learn?
Did we identify any other improvement actions?
Output of this STEP: Status of PDPA implementation
11. STEP 6: How do we keep the momentum going?
Establish a culture and mindset of Personal Data Protection
Develop a learning environment
Establish a desire to improve throughout organization
Recognize and reinforce message that personal data protection is
everyone’s job
Maintain the momentum on personal data protection (e.g., rewards
staff who contribute towards PDPA compliant)
Output of this STEP: Zero or few PDPA non-conformances / zero or
few customer complaints
12. Concluding Remarks
ITIL CSI Approach can be used as a framework for implementing and
managing a program to enable an organization to be more PDPA compliant
Beyond CSI Approach, other ITIL tools and techniques can also be used to
enable PDPA compliant. For example:
The Information Security Management System can be adapted for use as a
management system for PDPA implementation
The Stage 4(education, awareness and training, review and audit, testing and
change management) of the ITSCM process can provide guidelines on how to run
the normal operations of PDPA
The Incident Management and Request Fulfilment processes can be adapted to
become the issue management process for PDPA. The data protection issues that
should be handled include: data breaches, withdrawal of consent, request for data
access, request for data update and other complaints)
How other ITIL techniques can be leveraged for facilitating PDPA compliant
will be addressed in other presentations to be developed later