Any organization that handles or processes personal data of individual residing in Singapore need to comply with the Personal Data Protection Act (PDPA). Often such responsibilities are assigned to the IT department. Many tools and techniques of ITIL, a best practice for IT service management, can be refactored for facilitating the implementation of a PDPA, thereby enabling the compliant to the law. This presentation describes how ITIL's CSI approach can be used an approach for management a PDPA program.

1. CSI Approach for PDPA
Compliant
Heng-Meng Tan (ITIL Expert, PMP)
June 8, 2017

2. PDPA Overview
 In Singapore, the Personal Data Protection Act (PDPA) was in effective in 2014
 PDPA regulates both the collection and use of personal data. The PDPA also
separately provides for the creation of a "Do Not Call" (DNC) registry, which allows
consumers to opt out of receiving marketing material from organizations
 PDPA applies to all organizations. An organization, for the purposes of the PDPA, is
defined as any individual, company, association or body of persons, corporate or
unincorporated.
 The PDPA applies if the data was collected, used or disclosed in Singapore. It is
immaterial that the organization in question is not located or formed in Singapore,
or that it is not recognized by Singapore law
 Thus organizations, especially those incorporated or residing in Singapore, are in
urgent need to align their policy, processes and procedures to comply with the
requirements of the PDPA

3. Approach and processes for PDPA
implementation
 PDPA dictates that organization must appoint a Data Protection Officer (DPO) to
ensure it comply with the Act
 Many organizations has assigned their staff from the IT functions as the DPO, as IT
is playing an important roles in the storage, retrieval and custody of personal data
in the computer systems
 Many IT people who attended my ”PDPA Classes” asked me to give them advice on
what framework, tools, techniques that they can use to implement PDPA
 Many IT professionals are aware that many tools and techniques for ITIL can be
refactored for use to implement PDPA

4. Purpose of this presentation
 To provide guidelines on how ITIL’s Continual Service Improvement (CSI) approach
can be used to implement PDPA in an organization
 (NOTE: Many other tools and technique can also be used, these will be addressed
in other presentations)

5. ITIL CSI
Approach
ITIL CSI approach is suitable for
the implementation and
management of a long-term
program. It comprises 6 steps
as follows:
1. What is the vision?
2. Where are we now?
3. Where do we want to be?
4. How do we get there?
5. Did we get there?
6. How do we keep the
momentum going?
We use it to manage a program
for an organization to manage
program and project towards
Personal Data Protection Act
(PDPA) compliant.
What is the
vision?
Business vision,
mission, goals
and objectives
Where are we
now?
Baseline
assessments
Where do we
want to be?
Measurable
targets
How do we
get there?
Service and
process
improvement
Did we
get there?
Measurement
and
metrics
How do we keep
the momentum
going?

6. STEP1: What is the vision?
 Establish
 A vision of complete alignment of company policy, processes and SOPs
with PDPA
 Scope of the project / program
 Set High level objectives (e.g., zero of very few non-compliances or
customer complaints in 3-5 years time)
 Governance and reporting structure of the Data Protection function
 Get sponsorship and determine budget
 Obtain senior management commitment
 Output of this STEP: Long term vision & business objective
and management approval for the program

7. STEP 2: Where are we now?
 Review, assessment or formal audit using preferred technique
 Document existing inventory of procedures that deal with Personal Data using technique
such as the Data Inventory Map (DIM)
 Identify gaps by comparing DIM against the PDPA checklist
 SWOT analysis
 Risk analysis and management methodology
 The review should include
 Organization culture and maturity (vis-à-vis personal data protection)
 Processes, capability and maturity (vis-à-vis PDPA compliant)
 People skills and competence in PDPA
 Report with findings and recommendations
 The output of this STEP: a portfolio of projects that should be carried out in the
next few years in order to achieve the vision in STEP 1.

8. STEP 3: Where do we want to be?
 From STEP 2, a portfolio of projects is created. These project
should be described in terms of:
 Value to the business
 Cost of implementation
 Risk
 Priority
 Using techniques such as portfolio analysis, select the projects
for the next step (e.g., projects for the next 3-6 months)
 Output of this STEP: A list of projects selected for
implementation as well as the intended measurable targets
for each project

9. STEP 4: How do we get there?
 Develop a plan for implementation of projects selected in
STEP 3
 Initiate and kick-off projects in accordance with the plan
 Outputs of this STEP include deliverables such as:
Personal Data Protection Policy
SOPs for handling personal data
Staff awareness on the need for personal data protection
Trained staff who are capable of operated the newly developed
SOP

10. STEP 5: Did we get there?
 Measurements for all projects must be designed before implementation
 Typical targets might be
 X% reduction in PDPA non-conformances
 X% increase in customer satisfaction
 Checks and reviews of the status of the projects should identify
 Did we achieve objectives?
 Are there lessons to learn?
 Did we identify any other improvement actions?
 Output of this STEP: Status of PDPA implementation

11. STEP 6: How do we keep the momentum going?
 Establish a culture and mindset of Personal Data Protection
 Develop a learning environment
 Establish a desire to improve throughout organization
 Recognize and reinforce message that personal data protection is
everyone’s job
 Maintain the momentum on personal data protection (e.g., rewards
staff who contribute towards PDPA compliant)
 Output of this STEP: Zero or few PDPA non-conformances / zero or
few customer complaints

12. Concluding Remarks
 ITIL CSI Approach can be used as a framework for implementing and
managing a program to enable an organization to be more PDPA compliant
 Beyond CSI Approach, other ITIL tools and techniques can also be used to
enable PDPA compliant. For example:
 The Information Security Management System can be adapted for use as a
management system for PDPA implementation
 The Stage 4(education, awareness and training, review and audit, testing and
change management) of the ITSCM process can provide guidelines on how to run
the normal operations of PDPA
 The Incident Management and Request Fulfilment processes can be adapted to
become the issue management process for PDPA. The data protection issues that
should be handled include: data breaches, withdrawal of consent, request for data
access, request for data update and other complaints)
 How other ITIL techniques can be leveraged for facilitating PDPA compliant
will be addressed in other presentations to be developed later