What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a structured approach to identifying the privacy risks associated with the processing of personal data and for implementing appropriate controls to manage those risks. The process comprises the following six distinct steps and a parallel stream of consultation:
- Identify the need for a DPIA
- Describe the information flows
- Identify and assess the privacy risks
- Identify and approve controls
- Assign responsibility for implementing controls
- Re-assess and accept the risks.
How Does A DPIA Work?
The DPIA works by finding out potential vulnerabilities in your project. It can help with devising the way forward to improve the data privacy and compliance status. The outcome avoids potential losses, fines, and negative publicity for your business. It works on several levels of compliance before a business begins its data processing activities. This is necessary to uphold the integrity, security, and privacy of your customer's personal information being utilized within a new or existing business.
What kind of Web Development requires DPIA?
DPIAs could be conducted on systems (e.g. public facing websites, cloud storage platforms, Customer Relationship Management (CRM) systems) and processes (e.g. going through a health screening and receiving the medical report, purchasing an item from an online portal and receiving the item from a courier) and also on a mobile application which stores personal data. As long as you are developing a front-facing digital platform, you should be considering doing DPIA led by your Data Protection Officer (DPO)
What happens when you have a data leak of Personal Data without DPIA?
The amended PDPA also comes with stiffer fines for data breaches and makes it compulsory for organizations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC).
Companies with an annual turnover exceeding S$10 million can now be fined up to 10 percent of their annual turnover in Singapore. The maximum fine was previously S$1 million.
Summary - Conduct DPIA to prevent the breach of PDPA
Team Oasis recommends getting your web development or mobile application vendor as an external project data protection officer (DPO) for your project led by your internal DPO. The technology vendor who is trained in PDPA will be able to propose technical measures to secure your application to protect your personal data from unnecessary breaches. Make sure that the vendor is certified in PDPA else the responsibility of the breach will be on your company.
It is a red flag when your website or mobile application project manager did not discuss Privacy by Design Approach or DPIA with you during the planning of your project. Most likely they are uncertified in PDPA leaving yourself vulnerable to an impending data breach.