From boardroom to breakroom – Embedding data privacy into company culture in Singapore

In today's digital landscape, compliance with data protection laws, such as Singapore's Personal Data Protection Act (PDPA), requires more than just technical solutions. A strong organisational culture that prioritises data protection and accountability is also essential to compliance.

This article explores how embedding data protection into an organisation's culture can help mitigate risks, enhance compliance, and build trust.

1. Cultivating a compliance-first mindset across all levels

A compliance-first mindset means that every employee, from top executives to entry-level staff, understands their role in protecting personal data. This mindset should be cultivated by incorporating data protection into the company’s core values and everyday practices.

Recent data protection enforcement cases in Singapore have shown that failures in data protection often result from a lack of basic understanding and responsibility at all levels. In one case involving an edtech company, the company did not appoint a Data Protection Officer (DPO) for over five years after incorporation, indicating a lack of internal prioritisation of data protection responsibilities.

Furthermore, it was argued in the same case that the PDPC should only consider Singapore-based individuals instead of the global figure of affected individuals as the latter would be subject to investigations by foreign data protection authorities. This was rejected by the PDPC, highlighting that companies must account for all personal data under their possession or control, regardless of location. This affirms that companies must hold themselves accountable for all personal data when dealing with data protection obligations under the PDPA.

Actionable steps:

• Integrate data protection into onboarding. Every new employee should receive training that emphasises the importance of data protection. Instead of merely ticking boxes, onboarding should include real-world scenarios where employees identify data protection risks and learn how to address them.

• Incentivise and reward compliance. Recognise and reward employees who actively contribute to data protection initiatives, such as identifying potential vulnerabilities or suggesting improvements to existing protocols. For example, regular recognition programs or incentives can help promote a culture where data protection is everyone’s job.

2. Moving beyond basic training: Effective, ongoing education

Traditional training often falls short because it is too generic and lacks engagement. A more dynamic approach is needed to embed data protection principles deeply into the organisational culture.

Breach of the PDPA's accountability obligation is the second most common amongst data protection cases in Singapore and these often involve inadequate training on data protection. Without proper training, employees might not recognise risky behaviours or understand how to handle data threats and breaches effectively.

Actionable steps:

• Use real-life scenarios relevant to your industry. For instance, a financial institution might simulate a phishing attempt targeting employees to see how they react. This type of learning helps employees understand the practical risks and the implications of data protection in their specific roles.

• Provide regular refreshers and updates. Data protection laws and threats are constantly evolving. Schedule periodic training sessions for employees to reinforce knowledge and best practices and provide updates on new threats and regulatory changes. Make these sessions interactive, perhaps through quizzes or group discussions, to reinforce learning.

• Tailor training to the specific needs of different departments. For example, the marketing team may need to understand data protection in the context of customer data analytics, while the IT department may require more technical training on securing data infrastructure.

3. Leadership’s role: Setting the tone for a culture of accountability

The commitment of senior leadership to data protection is critical in setting the tone for the rest of the organisation. Leaders must demonstrate their dedication through their actions, decisions, and communications.

The PDPC has increasingly emphasised the shift from a compliance-based approach to one focused on accountability. Leaders who demonstrate accountability by being actively involved in data protection initiatives can help build a culture that encourages all employees to take data protection seriously.

A recent case involving a government-linked conglomerate which provides logistics, data centres and subsea cable systems serves as an example where the lack of proper oversight from leadership resulted in significant compliance failures. The company’s repeated failure to ensure the deletion of personal data from an old server after migrating files to a new cloud storage solution, and the absence of supervision and clear instructions to staff, could be seen as leadership shortcomings which led to organisational failures.

Actionable steps:

• Senior leaders should be visibly involved in data protection initiatives, such as attending data protection training sessions or actively participating in data breach response exercises. This visibility reinforces the message that data protection is a strategic priority.

• Leadership should give the privacy team a mandate to conduct regular internal audits of data protection practices and review the findings personally. This not only demonstrates commitment but also allows leaders to make informed decisions about resource allocation and policy adjustments.

• Leaders should be directly involved in developing and communicating data protection policies. This involvement helps ensure that policies are aligned with the organisation’s strategic objectives and that employees understand the importance of compliance. 

4. Reinterpreting PDPC cases: A cultural perspective

Examining PDPC enforcement cases with a cultural lens reveals how organisational behavior impacts compliance.

For instance, in a case involving a restaurant reservation platform, the PDPC cited evasive and dilatory responses during PDPC's investigation as an aggravating factor in the financial penalty imposed. This suggests that a culture that does not prioritise transparency and accountability can lead to more severe penalties. In contrast, companies like Sembcorp Marine Ltd, which had adopted good practices in relation to its ICT systems, acted promptly to address a breach and cooperated in PDPC's investigation, were not penalised despite a data leak.

Actionable steps:

• Foster a culture of transparency and encourage openness about data protection issues. Employees should feel comfortable reporting potential breaches or vulnerabilities without fear of adverse consequences.

• Establish clear internal protocols for responding to data breaches and engaging with regulators like the PDPC. Organisations should respond promptly, provide full cooperation, and maintain transparent communication during investigations to demonstrate a commitment to accountability. 

5. Measuring cultural impact on compliance: Concrete metrics and tools

Measuring the effectiveness of a data protection culture can help identify gaps and opportunities for improvement.

PDPC guidelines now emphasize an accountability-based approach, which requires organisations to demonstrate that they are proactive in managing data protection risks. Without measuring cultural impact, it is difficult to know whether efforts to promote data protection are effective.

Actionable steps:

• Regularly survey employees to assess their understanding of data protection policies, comfort in reporting issues, and perceived support from leadership. Use this data to make adjustments to training or communication strategies.

• Consider adopting certifications such as the Data Protection Trustmark (DPTM) to formally validate your organisation’s data protection standards. This can help build trust with customers and regulators and demonstrate a commitment to high standards of data protection.

Building a reputation of trustworthiness

Achieving compliance with the PDPA requires more than just technical measures or policies – it requires a robust organisational culture that values and prioritises data protection. By fostering a compliance-first mindset, engaging in dynamic training, showing leadership commitment, fostering transparency, and measuring cultural impact, companies can better protect personal data and build a reputation of trustworthiness. This holistic approach not only helps prevent data breaches but also positions organisations as responsible custodians of personal data in a rapidly evolving digital economy.

Should you have any questions on any of the points discussed above or would like advice on data protection, please do not hesitate to get in touch with any of the authors listed below.