We've been having discussions with various clients on Singapore's upcoming Personal Data Protection Act and one common question is whether there is a magic bullet to ensuring one will be in compliance with the Act.
The straight-forward answer is there is none.
Some think they can draft a magic word or some clause and they are done. Others think they can attend a talk and the deed is done. I wish it were that easy. You cannot recover from a cough listening to a medical lecture, likewise, you cannot ensure compliance by attending a seminar.
While the Act prescribes standards in various areas of data collection, there are several reasons why compliance is not as simple an exercise. Let no one underestimate the task.
First, most organizations are already collecting data and have their practices in place. Each of these practices requires examination in light of the new legislation--there is no one-size-fits-all. Compliance issues as well as applicable exemptions all come into play.
Second, most organizations already have collected data, and the treatment of data collected before and after the Act comes to pass may vary. Thus, this exercise requires some scoping and navigating. My memory goes back to a few lawsuits in the U.S. where discovery was given and the banks involved were only too happy to say no information existed--only to find later a storeroom with more backup tapes.
Third, compliance is always an ongoing exercise. Effective compliance requires compliance to be a way of life, built into an organization's DNA. And the process of building this capability into each organization, if the theory of evolution is to be believed, will take some time.