Data Protection: HR & Corp Sec – 3 Big Questions (PDPA and GDPR regulations)
Articles Blog

Data Protection: HR & Corp Sec – 3 Big Questions (PDPA and GDPR regulations)

February 26, 2020


Hi, I am Qian Li from Straits Interactive
and I help HR tech and corporate secretarial companies
to find answers to 3 biggest questions in data
protection. Why do others want my data? How does it affect me? What can I do about it? Personal data is also commonly called the
new oil for its tremendous value. In the case of employees’ data, this value
could rocket due to the amount and sensitivity of personal
data involved. Hence, if a data breach happens, the potential
damage can be far reaching. Imagine, if your name, birthday,
NRIC and bank account number are leaked – you may find
your credit and financial health can be compromised. Here are 2 HR functions to consider when reviewing
privacy risks. Recruitment – CVs e.g. excessive copies
of CVs. When
you have outsourced this function to another vendor, you
should check how your vendor manages the CVs they receive. In the case of SearchAsia, the CVs were put
in a public folder which was accessible by performing a search
via search engines. If you are a Recruitment Tech firm, you should
practise privacy by design principles. As HR professionals may also be managing the
learning and development programmes of the company,
where learning portals can hold personal data including
the NRIC especially if professional certifications
or government funding is involved, special attention
must be given when managing L&D portals, whether
directly by the company or via a 3rd party vendor. A common lapse can be observed from the case
of Marshall Cavendish and Learnaholic. In both cases, a temporary
access measure was lifted for troubleshooting, but
were not reverted to the original settings. This allowed
hackers to gain access to the system’s database, putting
over 250,000 personal data records at risk. In recent years, Corporate Secretarial firms
have also seen increased concerns regarding data
protection. In my conversations with some of these
firms, they have cited concerns of regarding data
protection clauses in business contracts and even
possibly tenders. Since many CorpSec firms offer a multitude
of services based on trust and professionalism, including resident directorship,
accounting, legal and others, CorpSec firms should
note that Data Protection is a core pillar in the
ecosystem. For example, some CorpSec firms have been
approached to be outsourced DPOs, and the question really is
– are you ready to capture this wave of opportunity? The answer is simply that you cannot do so
if you are unable to first demonstrate accountability, and that goes beyond having appointed a DPO
or crafted policies. Instead, you will need to show evidence of
having executed your policies and beyond. Hence, it is important to be operationally
compliant with the data protection laws, both to protect your
company as well as to capture opportunities in this wave. Don’t be the next to suffer from a breach,
and don’t be the last to join the market.

Leave a Reply

Your email address will not be published. Required fields are marked *