Month: July 2020

Register your Data Protection Officer (DPO) via ACRA’s Bizfile

Register your Data Protection Officer (DPO) via ACRA’s Bizfile

boardroomsuperadmin
PDPA & Data Protection Officer

Personal Data in Singapore is protected by the Personal Data Protection Act 2012 (“PDPA”) which came into effect in 2014. Essentially, the PDPA governs the collection, use and disclosure of personal data legitimately.

Most organisations in Singapore handle personal data in one way or another.  In order to ensure that such personal data is appropriately safeguarded and responsibly managed, the PDPA stipulates that it is mandatory for such organisations to appoint a Data Protection Officer (“DPO”). 

The DPO can be an individual or a team and they can be employees of the organisation or an externally appointed third-party.  The key role of the DPO will be to ascertain that the policies and practises of the organisation in relation to personal data comply with the requirements under the PDPA.

The Personal Data Protection Commission (“PDPC”) in Singapore administers and enforces the PDPA and serves as Singapore’s main authority in matters relating to personal data protection. PDPC has recently collaborated with the Accounting and Corporate Regulatory Authority (“ACRA”) to allow for organisations registered with ACRA to register and/or update their DPO’s name and contact information via ACRA’s BizFile+ using their CorpPass accounts.  With this in place, ACRA-registered organisations that wish to register their DPO details on the PDPC website will now be automatically directed to ACRA’s BizFile+ to do the registration. Non-ACRA registered organisation can continue to register details of their DPO on the PDPC website.

Though registering details of the Data Protection Officer is not mandatory, it is highly encouraged as this will help DPOs stay connected and keep abreast of relevant personal data protection developments in Singapore to ensure continued compliance with the PDPA. With the shift towards companies demonstrating Accountability towards PDPA and not just passive compliance a DPO is more important than ever. If you would like to know more about what demonstrating Accountability means for your business head over to our article written with PDPA expert Straits Interactive for more information

Register your DPO via ACRA's Bizfile Now

Registration and updating of Data Protection Officers’ (“DPOs”) details is now more convenient for Accounting and Corporate Regulatory Authority (“ACRA”) registered companies.

The recent collaboration between the Personal Data Protection Commission (“PDPC”) and ACRA enables ACRA-registered companies to enrol their DPO under ACRA’s BizFile+ platform instead of the PDPC’s website.

If you would like more information on this recent change, reach out to our Corporate Secretarial experts today.

Related Business Insights

Personal Data Protection Part 1 – What it Means to be ‘Accountable’

Personal Data Protection - What is Accountability?

Personal Data Protection Part 1 – What it Means to be ‘Accountable’

boardroomsuperadmin
Accountability in Personal Data Protection

2019 was the year that the Personal Data Protection Commission (PDPC) shifted its focus from a compliance-based approach to that of accountability.  The reason for this shift is stated in the opening paragraphs from the PDPC website:

Organisations today operate in an increasingly connected and competitive digital economy where individuals’ online and real-world activities generate a burgeoning amount of data. In such a competitive and evolving business environment, a “checkbox” compliance approach towards the handling of personal data is increasingly impractical and insufficient to keep pace with the developments in data processing activities. Organisations that focus on compliance through such an approach may find themselves disadvantaged and unable to use data for innovation. 

Over time, with greater awareness of the risks surrounding the unauthorised collection, use and disclosure of personal data, consumers are increasingly cautious about how organisations are using and managing personal data, and place greater value on trust and accountability. It is thus important for organisations to shift from a compliance-based approach to an accountability-based approach in managing personal data.

But what is the meaning of “accountability”? This two-part blog by our partner, Straits Interactive, provides a clear explanation of the term and what companies need to do.

What it Means to be ‘Accountable’

The word ‘reasonable’ and other words based on it – for example, ‘reasonably’ – appears in the Personal Data Protection Act (PDPA) … a lot of times. The word ‘accountable’ and other words based on it, such as accountability, appears in the PDPA exactly zero times.

But we are hearing a lot about accountability in connection with data protection. Before we get to ‘Why?’ let’s look at a couple of examples of compliance versus accountability.

Compliance versus accountability

Traditionally, businesses are required to comply with a wide range of regulatory requirements. If they were caught not complying, they had to fix the shortfall; it they were not caught, then they did nothing much at all. So, compliance is a rather passive approach.

Accountability is different. The Cambridge Dictionary says that ‘someone who is accountable is completely responsible for what they do and must be able to give a satisfactory reason for it.’ Accountability is an active approach.

 

Vignette #1

It’s dinner time on Friday evening. Mum and Dad are chatting about their plans for the weekend.

‘Oh, tomorrow morning I have an appointment with the doctor so I can’t pick the kids up from their enrichment class that finishes at 11 o’clock. Can you do it?’

‘Yes, of course,’ says the responsible spouse.

‘Are you sure? You won’t forget, will you? You won’t be late? They’re too young to be wandering around by themselves,’ says the worried spouse.

‘Stop worrying. It will be OK.’

If the responsible spouse forgets – say they get distracted by reading the newspaper and, suddenly realise that it’s past 11 o’clock already – what happens? Yup, probably the worried spouse will scold them a lot and tell them not to let it happen again. That’s a compliance approach. The worried spouse isn’t going to think that ‘I got distracted and forgot the time’ is a satisfactory reason for the kids being left to wander around alone after their class.

But by contrast, if the responsible spouse takes an accountability approach, they will take proactive steps to make sure that they don’t forget. For example, they might set a timer on their phone that will alert them when it’s 10:30 and they have to get ready to be there before the kids come out of their class at 11 o’clock.

 

Vignette #2

It’s performance appraisal time at work. A manager and a staff are having a discussion about why the staff didn’t meet their sales targets. (Spoiler alert: this might not end well.)

Staff says, ‘It’s not my fault. A few things didn’t turn out as I expected, and these things were outside of my control.’

Manager says, ‘So, what did you do to plan for unexpected events and other things outside of your control?’

Staff says, ‘Er, well … I …’

I’m rather sure that if the staff’s answer is that they didn’t do anything, but just sat back and waited to see what would happen, they aren’t going to get a good performance appraisal.

But if the staff is able to demonstrate that they did various things to achieve their sales goals even in the face of unexpected events and other things outside of their control, they could get a good performance appraisal despite not meeting their sales goals.

We can see from both examples, that accountability is about being able to demonstrate actively taking steps with the aim of making sure that something happens. Compliance is about passively waiting to see how things turn out.

Data protection and accountability

We are hearing a lot about accountability in connection with personal data protection simply because regulators do not think that a passive compliance approach is good enough.

The concept of accountability in the context of data protection is a few years old now, but we’ve been hearing a lot more about it in the last two or three years. Part of the reason is that the General Data Protection Regulation (GDPR) specifically requires accountability.

Mr Yeong Zee Kin, Deputy Commissioner of the Personal Data Protection Commission (PDPC) of Singapore gave the Keynote Speech at the 39th International Conference of Data Protection and Privacy Commissioners in September 2017 in Hong Kong. Amongst other things, Mr Yeong spoke about ‘the pivot from compliance to accountability’. He said that:

‘Accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is about being able to demonstrate to customers that measures which pre-emptively identify and address risks to personal data have been put in place.’

This is especially applicable for companies like BoardRoom that deal with a significant amount of sensitive personal data. With a service offering focused on outsourcing critical back-end business operations like Share Registry, Payroll & Accounting, BoardRoom handles more personal data than most organisations. As a result, they cannot rely on processes tailored towards compliance, BoardRoom is expected to prove accountability around personal data protection. For any businesses interested in outsourcing, a critical evaluation factor when selecting their partner should be ensuring the organisation can demonstrate accountability surrounding personal data protection.

In practice, organisations have to do the equivalent of the responsible spouse setting a phone alert to make sure that that picking up the kids on time isn’t forgotten, or the equivalent of a staff planning to make sure sales goals are achieved in spite of unexpected events. And being able to demonstrate that they have done these things.

Author

Lyn Boxall (CIPM, CIPP/A, CIPP/E, FIP, GRCP, GRCA) is an Advocate and Solicitor in Singapore and co-author of the book “99 Privacy Breaches to Beware of: Practical Data Protection Tips from Real-Life Experiences”.

She practices law in Singapore as Lyn Boxall LLC and is a consultant with Straits Interactive Pte Ltd, a leading specialist in personal data protection and Do-Not-Call (DNC) solutions.

Looking For an Accountable Outsourcing Provider In Singapore?

With the wealth of our experience as outsourcing experts in areas such as payroll outsourcing, corporate secretarial and accounting services, BoardRoom handles a significant amount of our clients personal data. We do not take this responsibility lightly and have been working closely with Straits Interactive for years to ensure that BoardRoom is able to prove accountability.

A key piece towards demonstrating Accountability is the appointment of a Data Protection Officer (DPO) within your organisation. It’s now easier than ever to appoint a DPO with the Personal Data Protection Commission (PDPC) collaborating with the Accounting and Corporate Regulatory Authority (ACRA) to allow for organisations registered with ACRA to register and/or update their DPO’s name and contact information via ACRA’s BizFile+ using their CorpPass accounts. Head to our article on this to find out more.

Interested in learning more about our accountability measures regarding personal data? Get in touch with one of our outsourcing experts who will explore in detail how BoardRoom ensures more than just compliance when it comes to personal data protection.

Related Business Insights

Why you should be considering an Employee Share Plan amidst Covid-19

Employee Share Plan Amid Covid-19

Why you should be considering an Employee Share Plan amidst Covid-19

boardroomsuperadmin
Market Outlook

In this article, we will be exploring the implementation an Employee Equity Plan as a viable option for companies looking for solutions to survive the economic downturn & long-term employee retention post Covid-19.  As the spread of the Coronavirus curbs we seem to be facing another crisis, a global economic downturn, one in which we are already seeing companies making job/pay cuts across the board. In Singapore specifically Gross Domestic Product (GDP) is expected to shrink by 7% in 2020.

The news has been dominated by stories of blue-chip companies like HSBC who introduced pay cuts to their executives for the next 6 months. Coworking space giant, WeWork, has laid off 2,400 of its employees. Devastating as these stories are, the actions taken are not new measures for coping with an economic downturn. Similar actions were taken both in the 2008 Financial Crisis and the 2000 Dot-com bubble.

We should ask ourselves, are these actions ideal given we’re now 10+ years on and still adopting the same measures for navigating through an economic downturn?

Covid-19 Pandemic Response Consequences

History tells us that taking these cost-cutting measures to keep businesses afloat during times of financial difficulty comes with severe consequences.

Some of these consequences include:

  • Voluntary resignations as a result of reducing your current workforce. A 1% reduction in your current workforce can result in a voluntary resignation increase of 31% the following year
  • Drops in job satisfaction and performance. When you impose a layoff, survivors will experience a 41% drop in job satisfaction and a 20% drop in job performance
  • When you introduce a pay cut, it will adversely affect job performance

The driving factor for these consequences is that it causes employees to lose control over their employment and any survivors will be stretched to fulfil business requirements. This will only further impact job performance and increase voluntary resignation due to plummeting job satisfaction.

Why an Employee Share Plan Incentive Scheme could be a viable solution

So, if we know the current solutions are not having positive long-term effects on businesses then what can be done? An effective solution could be the implementation of an Employee Share Plan.

We’ve detailed below some options and their benefits to companies:

  1. Introduce long term incentive schemes. To replace short term cash bonus with an employee equity plan or share option scheme, allowing financial liquidity.
  2. Revise current employee share plan. To increase rewards to employees who enhance (or reduce) company’s cost structure and increase operational efficiency during an economic downturn.
  3. Revise current performance metrics. Lower the Total Shareholder Returns (TSR) to an achievable level and increase time frame for performance evaluation.
  4. Bottom-Up approach. To offer long term employee incentive schemes to lower management people.
  5. Adopt a bonus reserve, to fund incentive schemes.
  6. For start-ups who are looking to drive company growth an Employee Share Option Plan would be an effective way to incentivise staff towards a common goal and subsequently drive growth.
  7. For start-ups with an existing Employee Share Option Plan (ESOP) but are looking to offload administrative burden and maximise the workforce on revenue generating initiatives, should outsourcing their ESOP.

The overarching objective for each of these is to incentivise critical business units to perform at a high level in order to weather any economic downturn.

Key to Success for Share Incentive Schemes

Like any challenging situation key to success is being razor sharp in everything you do. In the face of an economic downturn it’s not always every sector that is impacted. Industries like Healthcare Services, Technology Equipment, Software and IT Services are expected to benefit from this current pandemic and will continue to perform well.

Don’t get swept up in the emotion of sensationalised media headlines showcasing devastating job losses and pay cuts globally. Stick to the facts. A recent study conducted by AON has shown that only 10% of companies across Asia have implemented pay cuts amid the COVID-19 pandemic.

If you are in a sector that has been impacted and you need to make changes, don’t default to traditional measures (think job/pay cuts) consider your motivations for the changes you need to make and then evaluate if an employee share plan could be a solution for you.

Some key questions to consider when evaluate if and what type of share plan is suitable for you are:

  • Is your company looking into rewarding employees based on long-term achievements?
  • Are you looking into instilling ownership thinking into your employees?
  • Is your company looking into replacing short term cash rewards, with long term equity rewards?
  • Are you looking into driving different employees into achieving specific outcomes (i.e. TSR, ROE, Client Retention etc.)?

Remember that an employee equity plan scheme is not a short-term win but a long-term business strategy. Surveys conducted by AON have shown that 75% of companies who adopt a long-term incentive scheme will continue to utilise it. Be Open Minded. Realise the potential from your existing workforce and seek solutions to capitalise their performance and secure a business future.

Looking For A Trusted Employee Share Plan Firm In Singapore?

We have designed an all-rounded encompassing solution comprising of an experienced Share Plan team of practitioners and a digital solution to help you manage your strategic initiative.

01 Learn more about EmployeeServe - our Employee Plan Services platform!
null

Contact us today to find out more about our class-leading solution.

Or you can also learn more about our Employee Stock Option Plan (ESOP) services here.

Related Business Insights