Personal Data Protection Compliance Programme

By 2 July 2014, all private organisations are expected to be in full compliance with the Personal Data Protection Act (“PDPA”).

George Hwang LLC has developed a compliance programme to help you meet the obligations of this new law.

The PDPA requires all private entities holding personal data to have the following in place:

  • A Data Protection Officer (“DPO”) who is easily contactable by the public;
  • Policies and practices to ensure compliance with the PDPA;
  • A process or system to respond to public enquiries and complaints;
  • Trained its staff on the organisation’s personal data protection policies and practices; and
  • A transparent data protection policies and complaint system

The Personal Data Protection Commission (“PDPC”) constituted in Jan 2013 is tasked with overseeing the implementation of PDPA. The PDPC has wide ranging power. It includes the power to investigate and to direct organisations, amongst others, to stop using, destroy, provide access to or correct personal data within their control. It can also order a fine to the maximum of $1 million.

Our compliance programme has a 3 Stage procedure. Each stage complements the others, yet, each can be independent. After each stage, the organisation can decide whether to proceed further. They are:

  • Stage 1 – Audit
  • Stage 2 – Implementation
  • Stage 3 – Training

For SMEs, we have a service for continuous compliance. This is our “DPO Service”.


This is a fact finding stage. We will analyse the organisation’s database, their purposes and its data management system. Some organisation may already have a set of policies and practices. We will review them, as part of the audit.

A report on its shortcomings and recommendations will be made. The organisation’s management can study this report and decide whether to proceed to the next stage.


We will assist the organisation to create a system or process, together with drafting the necessary notices, forms and manuals. Depending on the requirements, we may have to work with an IT consultant regarding security of the database.

For SMEs which needs or keeps very limited amount of personal data for its business, we have a standard procedure and manual for adoption.


As it is new, everyone needs to be sensitised to personal data protection issues and the rights of the data subjects. This will enable them to be identified at an early stage and escalation of problems prevented.

We will assist in training your staff through seminars and hands-on coaching. This will depend on the size and needs of the organisation concerned.


We provide a DPO on an annual basis. All clients who use our DPO service must first go through our 3 Stage Programme. We need to ensure compliance before taking on the duties of a DPO.

George Hwang
10th October 2013

For more information, please contact