PERSONAL DATA BREACH RESPONSE AND PDPA COMPLIANCE REVIEW

A small financial services company retained me after discovering that customer data had been accessed without authorisation by a former employee. The company had no data protection officer, no documented personal data processing notice, and no incident response procedure in place at the time of the breach.

I conducted an urgent review of the company’s data handling practices against the seven principles of the Personal Data Protection Act 2010, prepared a breach notification to the Personal Data Protection Commissioner, and drafted the required notices to affected data subjects under the Act.

Following the immediate response, I assisted the company in implementing a PDPA compliance framework: a data inventory, a privacy notice for customers, an internal data protection policy, and a basic incident response plan. The Commissioner accepted the company’s notification and no enforcement action was pursued. The engagement underscored the significance of proactive compliance before incidents occur rather than remediation after the fact.