The Personal Data Protection Commission (PDPC) released the Guide to Effective Enforcement on 22 May 2019, an update to the PDPC's approach to enforcement action.
In keeping with the current approach laid down in the Advisory PDPC Guidelines on Data Protection Compliance (Directive), there are three main compliance strategies. PDPC could use alternate dispute resolution methods, such as mediation and mediated talks, where applicable to settle what is considered to be mainly disagreement between the parties. Additionally, the PDPC may launch inquiries that could require the exercise of PDPC's regulatory powers under the Personal Data Protection Act (PDPA) in finding facts and making a judgment. Finally, the PDPC may review this decision where the organization has agreed on the access and/or correction of personal data.
The Guide outlines two other intermediate compliance strategies–cooperative organizations and expedited actions, which could be made instead of a rigorous investigation.
While not explicitly presented in the PDPC Guidelines or the PDPA, it provides salient information on how PDPC rules apply to different situations, particularly in the pursuit of infringement.
This update is essential to organisations that want to better understand the available new compliance tools and preparatory measures to be taken to maintain the opportunity for an entity to pursue a company.
An undertaking is a formal commitment in writing by the PDPC to voluntarily undertake to correct violations and take steps to prevent a recurrence.
Usually, an organization is open when:
- A similar or better compliance outcome for the PDPC is obtained more efficiently and effectively than a full investigation;
- The company can prove that it has responsible data privacy policies or a Trustmark and that it is prepared to execute an effective remediation plan.
The remediation plan should include measures to reduce the recurrence of the accident, monitoring and reporting procedures, audits, and policy/process updates.
Usually, a company will include a summary of the accident and measures in notifying and mitigating harm to the individual(s) affected. The PDPC also requires executive-level support from the corporation-requiring that the company be signed by the CEO or someone of equal rank.
The Guide also provides examples of cases in which the PDPC does not approve an undertaking proposal. For example, when the PDPC refutes its responsibility for the data breakdown accident, refuses to accept the terms and conditions of the undertaking, or refuses to consent to the release of the undertaking, it does not approve an undertaking application.
An undertaking proposal needs to be submitted immediately after the proceedings have started, and the organisation's remedial plan must be ready. The PDPC will not approve an application for a company that needs a remediation plan for an extended timeframe.