4 Steps of Accountability

While there are mandatory accountability requirements under the PDPA, organisations should consider accountability measures beyond merely complying with the law. 

As a good practice, organisations could demonstrate accountability by establishing a structure for governance and risks assessments, by developing management policies and practices for the handling of personal data, and by establishing processes to operationalise them

Step 1: Governance and Risk Assessment

Good accountability practices begin with an organisation’s leadership, and is directed through its corporate governance. The senior management of an organisation should have an understanding of risks and review the risks on a regular basis to take into consideration changes in business models, regulations, technology and other factors. Thus, a key step to ensure a commitment to accountability is to embed personal data protection into corporate governance.  

Step 2: Policies and Practices

An organisation should develop appropriate data protection policies and practices as part of its corporate governance and risk management structure, and communicate these clearly to both external parties (e.g. vendors, customers) and internal stakeholders (e.g. employees).

In particular, personal data protection is the responsibility of every employee. It cuts across roles, functions and hierarchy and should be practised by staff (including volunteers and contract staff) at all levels of the organisation as well as third-party service providers. 

Having dedicated internal policies and practices on specific areas will also provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work.

Step 3: Processes

An accountable organisation also puts in place effective processes to operationalise its policies to address data protection risks throughout the data lifecycle (i.e., from collection to disposal of personal data) and across business processes, systems, products or services. 

To set up specific processes, an organisation should begin by documenting its personal data flows to understand how personal data is being collected, stored, used, disclosed and archived/disposed. Thereafter, it should identify key gaps and areas for improvement with respect to data protection, before incorporating data protection practices into business processes, systems products or services.

Step 4: Review

Organisations should regularly review their data protection policies, practices and processes to identify and address any gaps. In a rapidly evolving digital economy, this will ensure that the organisation is up-to-date with regulatory and technological developments, and that data protection risks are being managed effectively.

Find out how to implement these 4 steps in our Guide to Developing a Data Protection Management Programme.

Resources

Accountability Within Industry	Accountability In Enforcement