12 November 2013 | Regulatory Compliance – Scope and Implication for Project Managers

Understanding the Personal Data Protection Act 2012 (PDPA)

The PDPA came into effect in January 2013 and establishes a data protection regime to govern the way organisations in Singapore collect, use, disclose and process personal data. 

The transition period under the PDPA is still ongoing to allow organisations time to review and adopt internal personal data protection policies and practices.  The PDPA will be implemented in two phases with the first phase having already been implemented in the beginning of 2013. The first phase relates to the formation of the Personal Data Protection Commission.  The second phase of implementation deals with two areas, being the establishment of the "Do Not Call" registry (a registry which will allow individuals to register their telephone numbers to opt out of receiving marketing calls or SMSes) and the DNC Registry provisions coming into effect on 2 January 2014 and the main data protection rules coming into effect on 2 July 2014. 

With severe penalties imposed for PDPA contraventions, it is important for Project Managers to fully understand the scope and implications of the PDPA and the associated obligations for organisations. The Regulations to be made under the PDPA are currently being formulated, and will be issued later this year. As companies continue to assess and build in PDPA compliance into their organisational practices and processes, it is important for companies to consider the necessary technical safeguards and measures required to be put in place such as:

• Governance and appointment of data privacy officer
• Dealing with access and correction requests
• Security measures for protection of personal data
• Overseas transfer of personal data

MAS Technology Risk Management Guidelines and Notice June 2013 

To better address existing and emerging technology risks faced by financial institutions, the Monetary Authority of Singapore (MAS) issued the Technology Risk Management Guidelines (TRM Guidelines) and Technology Risk Management Notices (TRM Notice) on 21 June 2013. In particular, the TRM Notice sets out the legal requirements relating to technology risk management for financial institutions, including requirements for a high level of reliability, availability and recoverability of critical IT systems. As the TRM Notice will take effect from 1 July 2014, financial institutions will have less than 12 months to work towards being compliance ready with the TRM Notices requirements. 

The TRM Guidelines and TRM Notice will have an impact on financial institutions’ management of IT related risks in their operation. Ensuring compliance with these new requirements will no doubt be challenging for many financial institutions which will be looking to build in the appropriate contractual safeguards in their agreements with service providers, such as responsibilities and conditions relating to performance targets, services levels, security, contingency planning and disaster recovery capability. 

At this session, we will be looking at key areas covered by the TRM Guidelines which Project Managers need to be aware of, such as:

• TRM framework to manage technology risks
• Management of IT outsourcing risks
• Systems reliability, availability and recoverability
• Operational infrastructure security management
• Enhanced data centre protection and controls 

We will also be covering the main obligations under the TRM Notice which Project Managers need to be aware of when working toward compliance:

• Identification of "critical system"
• Maintenance of "high availability" and Recovery time objective ("RTO")
• Notification of "relevant incident"
• Submission of root cause and impact analysis report
• Protection of customer information

About the Speakers

Bryan Tan
Partner, Pinsent Mason MPillay

Bryan heads the technology media and telecommunications (TMT) practice group at Pinsent Masons MPillay. Bryan has practised since 1997 and is experienced in government regulation matters, TMT and commercial work. 

Bryan is also a member of the following: Singapore Law Watch Advisory Board, Editorial Board of the Digital Evidence Law Journal, Audit Committee of the Singapore Training and Development Association, Lawnet management committee, Singapore Academy of Law, Advisor Board of the (US) National Notary Association, Board of Directors of YMCA of Singapore, Internet Society Singapore, Interactive Digital Media subcommittee of the Singapore Computer Society and Council of the National Youth Achievement Award.

Bryan also wrote Halsbury’s Laws of Malaysia, Chapter 31 – E-commerce (both editions), Halsbury’s Laws of Singapore – E-commerce, the Singapore Chapter of Electronic Evidence (three editions), the practitioner's chapter on Data Protection Law in Singapore and the Singapore chapter on Handbook of Comparative Higher Education Law. He also has a blog column on ZDNET’s TechLegal.

Rosemary Lee
Counsel, Pinsent Masons MPillay 

Rose is a member of the TMT practice group at Pinsent Masons MPillay. She handles a broad spectrum of non-contentious work relating to technology, media, telecommunications matters intellectual property and general corporate-commercial.

Rosemary's wide experience has been gained through advising both public and private sector clients on TMT sector-specific transactions in Asia. She advises both technology vendors and customers/end-user organisations. Her experience covers IT and outsourcing projects, cloud computing, software licensing, and general technology and commercial contracting. She also frequently advises on various aspects of e-commerce, intellectual property, privacy and data protection. 

She is a regular speaker at Pinsent Masons MPillay's Out-Law events covering current technology legal topics (such as data protection and cloud computing) and authored the publication "LexisNexis Annotated Statutes of Singapore – Electronic Transactions Act" (2012).

Event jointly organized by: