Commissioners Mr Tan Kiat How, Singapore
Mr Stephen Kai-yi Wong, Hong Kong
Mr Il-jae Kim, Republic of Korea
Mr John Edwards, New Zealand
Other Regulators and Officials from the region and around the world,
Members of the Industry,
Ladies and Gentlemen,
A very good morning to all of you. First, let me start by saying that I am very happy to join you today at the 7th Personal Data Protection (PDP) Seminar. Our data protection legislation came into force in 2014 and we have come a long way since then. In particular, our focus has evolved in tandem with the changing data landscape - moving from just looking at compliance alone, towards accountability and the responsible use of personal data for innovation.
Celebrating the fifth anniversary of PDPC
2 I want to highlight a few key achievements across the past five years. More than a million numbers have been registered with the Do Not Call Registry; 30,000 organisations have registered their Data Protection Officers (DPOs) with the PDPC; and nearly 500 data protection complaints have been investigated and addressed.
3 In parallel, we have also seen significant changes in terms of tech advancements and the way data is collected and used. Organisations are increasingly using data to power artificial intelligence, and new technologies to innovate, increase productivity and reach customers across the globe. Consumers are also benefiting from these developments, which have enhanced convenience and improved the quality of their lives. In Singapore, we are gearing up for these trends at three levels, recognising that data has become a key resource that we have to learn to collect, harness and use responsibly and effectively.
a) At the international level, we believe that international cooperation and partnerships are crucial to data protection enforcement and data innovation. I am delighted that we have many regulators here with us today at this year’s event, and I hope that we will be able to come together to come up with specific initiatives amongst like-minded countries to take those partnerships forward. We are actively involved in the Asia Pacific Privacy Authorities and have recently assumed chairmanship of its technology workgroup. This year, the PDPC has also signed MOUs with Hong Kong’s Office of the Privacy Commissioner for Personal Data and UK’s Information Commissioner’s Office (ICO) to strengthen knowledge exchanges, cross-border enforcement and capability building.
b) At the industry level, we are working with organisations to build a culture of accountability. This is important because that is the foundation of which data can then be used responsibly. For example, the PDPC recently introduced the Trusted Data Sharing Framework, to complement the first edition of the Model AI Governance Framework launched earlier this year.
c) At the individual level, we have equipped almost 9,000 data protection professionals with the know-how to handle data confidently and securely. PDPC has also introduced a preparatory course last year, and collaborated with the International Association of Privacy Professionals in developing the examination component.
4 These efforts can succeed only with effective collaborations and partnerships with other data protection regulators, industry partners and the community of practitioners, many of whom are here with us today. On behalf of my colleagues at IMDA and PDPC, I would like to thank all of you for joining us in this effort, and for your support and cooperation. Please join me in a big round of applause.
5 While we have commenced the journey to prepare Singapore for a data-driven future, we believe there is still much to do. I will speak on two key elements that are needed for us to thrive in a data-driven digital age – strengthening data protection capabilities and growing trusted data flows. Both of which are important pillars which we can build a strong digital economy.
Strengthening data protection capabilities
6 Today, data is widely acknowledged as a major resource and a critical part of any business. Last week, the UK’s ICO announced its plan to impose a record penalty of 180 million pounds on British Airways for a data breach. It is a reflection of the growing global recognition that data is valuable, and should also be accorded due protection—recognising its value and the importance of confidentiality and privacy. However, organisations should not regard data protection simply as a cost, compliance requirement or as a defensive measure. That would take a very limiting approach in our attitude towards data as a resource. Rather, if we manage this well, the management of data can be a source of business competitiveness and a means to create new opportunities. That is what we want to develop—the capacity to collect and use data innovatively and responsibly. Indeed, PDPC’s recent industry survey1 found that almost three-quarters of the respondents agree that good data protection practices can directly contribute to business innovation and growth.
7 It is important to recognise that data protection is a responsibility which cuts across all levels and divisions of an organisation. Good accountability practices start from the top. Board members, CEOs and senior management must lead by example, incorporating data protection as part of corporate governance and risk management frameworks in the organisation. This sets the tone for how the entire organisation and its employees regard and handle personal data.
8 In that context, we believe that the DPO is critical to the success of every enterprise in the digital age. Similar to the role of HR and Finance Directors with respect to human and financial resources, the DPO can and should play a central role in protecting and harnessing an organisations’ data resources.
9 Under the PDPA, it is mandatory to appoint a DPO. Businesses with capable DPOs will enjoy a competitive advantage, by maximising data sharing partnerships while ensuring trust and accountability. They will be able to collect and use data responsibly to drive innovation and when adopting emerging technologies to apply these data resources effectively. An effective DPO will be able to lead this effort by directing and overseeing data protection and data innovation initiatives. In short, the DPO is not just a custodian of this resource. He/she is actually a key part of the management team who can help to use data innovatively as part of the business strategy going forward.
10 On the part of the Government, we are committed to do more to support organisations in strengthening their DPOs’ capabilities. This is why we are releasing the world’s first DPO Competency Framework and Training Roadmap that combines both data protection and data innovation. The DPO Competency Framework describes a set of skills and the different proficiency levels needed for data protection officers, from entry-level right up to those who shoulder regional and international responsibilities. The Training Roadmap in turn will identify the courses that DPOs need to undergo to achieve the next level of proficiency. This Framework is modelled on the Skills Future Framework and provides a clear pathway for DPOs to upskill and progress in their careers. This is a novel initiative and we would like to acknowledge the contributions of industry experts such as AsiaDPO, the International Association of Privacy Professionals, the Law Society’s Cybersecurity and Data Protection Committee and SMU Academy.
11 For business owners and HR managers, this Framework can serve as a guide to help you decide how to structure your data protection functions, make hiring decisions as well as organisational structural decisions. Additionally, it can help you plan the training for your DPO and data protection team, which is what the management of Leacov School of Security intends to do. The right data protection team under an able DPO can be an effective component of a company’s management and support the efforts to build consumer trust and support businesses growth.
12 To the DPOs here with us today, the Framework maps out a clear career path in data protection and the types of skills and training that are needed to develop and advance in such a career. This is a new and an evolving area, one that has much potential. While we as individuals must equip ourselves with the requisite skills, it is also important that we have employers, companies step up and recognise the important roles of our DPOs, and the importance of such a framework. I am glad that 16 companies and societies have already indicated their support for the Framework, including Mendaki Sense, Bayer and Benjamin Barker.
13 As a start, the PDPC is partnering the National Trades Union Congress, and supported by e2i and NTUC LearningHub, to launch a pilot programme to support companies in deepening the data protection skills of their workers. It is expected to benefit at least 500 DPOs in the first year, and more details on the courses will be shared later this year. The PDPC will also work with the NUS Law Academy, SMU Academy, Singapore Polytechnic and Institute of Singapore Chartered Accountants to make additional data protection-related courses available. The Training Roadmap will be updated as more courses come on stream, but also importantly, in response to developments in the data landscape and evolving needs. With this DPO Competency Framework and Training Roadmap, Singapore aims to be the provider of high quality training for DPOs in the region.
Growing trusted data flows
14 Let me now turn to cross-border data flows - which is one of the complex issues that DPOs increasingly have to deal with. We all recognise that such data flows are essential to power innovation and new technologies as modern supply chains cross multiple countries and businesses expand to markets across the globe. I believe the subsequent panel discussions will have more to say on this topic.
15 Singapore supports cross-border data flows which are undergirded by strong data protection standards. However, organisations have shared that it is challenging to transfer data securely and seamlessly as the data regulatory landscape is uneven. In addition, they are unsure if organisations receiving their data have trusted systems in place. That is key—we need mechanisms that ensure trust that the data which is shared will be handled with care with regard to confidentiality and used for legitimate purposes. Hence, to help organisations transfer data with greater trust and confidence, I am pleased to announce that Singapore will be certifying organisations under the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processor (PRP) Systems. Organisations can henceforth apply to IMDA to be certified. Certified organisations in Singapore will be able to seamlessly exchange data with other certified organisations in participating APEC economies such as the US and Japan. Consumers can also be assured that such exchanges of their personal data will be well-protected.
16 The CBPR and PRP certifications are not just for large global enterprises, but also to help SMEs compete globally. I am glad to learn that already, four companies have recognised the value of APEC CBPR. Accenture and Salesforce have expressed interest in the CBPR certification, while our local enterprises CrimsonLogic and SME TRS Forensics will be applying for the CBPR certification. To help SMEs get certified, IMDA will be waiving the application fee for SMEs until June 2020. Enterprise Singapore will also support Singapore companies to be certified. We want to see the response, study the way companies are adapting before we review what else needs to be done in this regard.
17 The APEC CBPR and PRP certifications will complement Singapore’s Data Protection Trustmark certification (DPTM) which was launched in January this year. The DPTM has seen strong momentum since its launch. We now have 12 DPTM-certified organisations across diverse sectors and another 30 are currently undergoing certification. DPTM-certified organisations have also affirmed its value. For example, DPTM has helped DBS Bank reinforce its standing as an organisation with strong data protection processes and practices, and build trust with customers. Another DPTM-certified organisation, MaNaDr offers an all-in-one healthcare app that connects patients to doctors, and sees the DPTM certification as an effective way to assure its users of its data protection policies and practices. We will build on this by integrating the application and assessment processes for both DPTM and APEC certifications, making it easier for organisations to apply for them. IMDA and PDPC are also working on increasing the recognition of the DPTM outside Singapore, through regional efforts like the ASEAN Framework on Digital Data Governance. I encourage more organisations to participate and benefit from these initiatives.
18 I would like to conclude by noting that the way data is being used will continue to evolve as technological changes bring about new opportunities and complexities. But what is clear to all of us, is that data is an irrefutably important resource for every organisation. The power of data lies not just in how we collect it, but also how we are able to aggregate it in order to derive the macro observations which can power business decisions and other public sector and people sector initiatives. It is only through strengthening our capabilities and forming trusted connections that we can adapt and thrive in the data-driven digital economy. We need more consumers and organisations to embark on this journey and help them understand the importance of data protection, how it can be used responsibly, and contribute significantly to innovation. We also need to be involved in international partnerships—working with like-minded partners and jurisdictions to take the process forward not just in our respective economies, but also on a cross border basis. I hope that this seminar, and the many initiatives that we have embarked on will result in some of these tangible and productive outcomes in this important and dynamic area. I wish all of you a very productive Seminar.
19 Thank you.
1 Annual survey conducted among 1,500 industry representatives from March to June 2019.