Updates on the PDPA Guidelines: Act Investigation and Enforcement Regime
The updates on the personal data protection act or PDPA guidelines were released last May 22, 2019, by the Personal Data Protection Commission or the PDPC. The latest revisions to the PDPA guidelines were published in the hopes to lend a helping hand to organizations and businesses in understanding the personal data protection scheme.
In this article, we have summarized the updates to the PDPA guidelines. Let’s check them out.
First off, updates on the enforcement process start with the complaint or notification to the PDPC in case a data breach incident happens. Afterward, the PDPC will decide whether they want to investigate the project or not.
If the PDPC decides to do an investigation, they will start with a fact-finding mission right off the bat through different resources. This includes conducting interviews, issuing relevant documents to gain access to important documents, making site visits and more.
Afterward, it is the job of The Grounds of Decision to set the PDPC’s findings on whether there was a breach or not. If there was really a breach, enforcement action will be put in place that will include a warning only or directions which are usual steps on how to better the organization’s data protection systems. In addition to that, they could also impose financial penalty fees depending on the gravity of the situation.
Compulsory reporting of data breaches
Even though the PDPC’s enforcement actions are largely based on the complaints and voluntary notification of organizations and businesses involved, the PDPC has introduced an intention to launch a compulsory reporting of data breaches into the PDPD. Currently, the PDPA does not contain a compulsory reporting of breaches clause.
Moreover, this update amends the PDPA guidelines on managing data breaches issued earlier in 2015 to provide what steps to take in terms of reacting to a data breach scenario. Specifically, it aims to notify a PDPC official or the affected parties in case of a data breach.
This notification will help the involved business or people to protect themselves from impending harm or impact that will be brought about by the breach. However, this can only be done when the affected individuals are of a significant number which is 500 or more.
The notification process should take place not more than 72 hours. Within the given time frame, the PDPC should be informed as soon as possible and intermediaries should inform their client of a potential or confirmed data breach within a period of no longer than 24 hours.
This timeline is consistent with the one prescribed by the EU General Data Protection Regulation or GDPR. With that said, the PDPC appears to be in the process of streamlining its data breach notification obligations in line with the notification requirements under the GDPR.