PDPA Update: Guidelines for web design and development
The Personal Data Protection Commission Singapore just has issued its latest set of guides for organisations relating to the protection and processing of personal data on 20 July 2016.
On a recent update, the PDPC outlines an extensive list for companies. Personally, I don’t think it’s their intend for us to follow him through all items strictly. However, we need to be diligent in keeping our customers data secure. It can be a simple contact form for our customers leave their contact details. Hence, we need to decide the extent of the security.
PDPA (Personal Data Protection Act) Obligations
Section 24 of the PDPA requires an organisation to make “reasonable security arrangements to protect personal data in its possession or under its control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
The company(client) is responsible for their own website.
Refer to 3.2 (Negotiating IT Vendor’s responsibilities) of “Guide on Building Websites for SMEs”
Read more at PDPC’s website
Actionable steps for Companies
Which type of websites needs to comply? As long as you’ve got these functions below.
- Contact form
- Shopping cart
- Events registration
Quick glance: Questions for companies to ask vendors
- Who have access to customer’s data?
- Development and maintenance done by vendor or outsourced?
- Resiliency of website. If the site goes down, what is the next course of action?
- Extent of security. What have been done to ensure security?
- (WordPress websites) When was the last update on the core and plugin files?
Qualities of a vendor
- Provide proposal on how personal data is handled.
- Ensures vulnerabilities are patched.
- Ensure that the personal data of individuals handled by the website is not disclosed to unauthorised parties by their personnel or sub-contractors.
- Advise appropriate security measures for the website.