Course Duration

21.0 hr(s)

Mode of Assessment

Students will be required to complete a paper-based assessment during class.


Who Should Attend

The participants for this programme are likely to be:

  • Compliance Managers or Data Protection Officers (DPOs)
  • Privacy or Legal Counsel; and
  • Auditors, Human Resource, IT personnel, Executive / Managers who need to be involved in data protection matters.
  • Any Data Protection Officers (DPOs) or those who are looking to take on expand their role as a DPO in organizations.

What's In It for Me

Be equipped with practical data governance and data protection knowledge and skills and learn to utilize risk-based tools to establish a robust data protection infrastructure for your organization.

Help your organisation:

  • Establish a robust data protection infrastructure through the use of risk-based tools
  • Identify and manage risks in personal data management
  • Develop a Data Protection Management Programme and manage data breaches
  • Conduct a Data Protection Impact Assessment

Course Overview

This three-day course identifies and communicates key legislative and regulatory requirements, assesses, documents and reports potential areas of non-compliance with regard to policies, procedures and business activities. It assists in the integration of procedures to ensure compliance, as well as prepares management report for follow-up.

Course Schedule

Next available schedule

Course Objectives

  • Understand the importance of being accountable for the personal data that your organisation handles
  • Identify and manage risks in personal data management
  • Develop a Data Protection Management Programme
  • Conduct a Data Protection Impact Assessment
  • Help the respective organisation establish a robust data protection infrastructure through the use of risk-based tools
  • Manage data breaches


For those who are new it is recommended to take the introductory course on the PDPA (titled "Fundamentals of the PDPA (2020)") first under the SkillsFuture Singapore's Skills framework for ICT but not mandatory.


Participants are assumed to be able to:

  • Ensure organisation’s compliance to Personal Data Protection Act (PDPA)
  • Manage risks associated with collection, use, disclosure and storage of personal data.
  • Drive awareness of PDPA requirements in the organisation.
  • Handle queries, complaints and disputes on the organisation’s management of personal data.
  • Manage people and organisation in the areas of operational needs, optimising resources, budget allocation, managing and tracking team’s achievements.
  • Assist the review of adherence to legislative and regulatory requirements in accordance with organisational guidelines / policies.
  • Prepare management report for follow-up action.
  • Hardware & Software
    This course will be conducted as a Virtual Live Class (VLC) via Zoom platform. Participants must own a zoom account and have a laptop or a desktop with “Zoom Client for Meetings” installed. This can be downloaded from

System Requirement

Must Have:

Please ensure that your computer or laptop meets the following requirements.

  • Operating system: Windows 10 or MacOS (64 bit or above)
  • Processor/CPU: 1.8 GHz, 2-core Intel Core i3 or higher
  • Minimum 20 GB hard disk space.
  • Minimum 8 Gb RAM
  • Webcam (The camera must be turned on for the duration of the class)
  • Microphone
  • Internet Connection: Wired or Wireless broadband
  • Latest version of Zoom software to be installed on computer or laptop prior to the class.

Good to Have:

  • Wired internet connection
    Wired internet will provide you with stable and reliable connection.
  • Dual monitors
    Using a dual monitor setup will undoubtedly improve your training experience, enabling you to simultaneously participate in hands-on exercises and maintain engagement with your instructor.>

Not Recommended:

Using tablets is not recommended due to their smaller screen size, which could cause eye strain and discomfort over the course of the program's duration.

Course Outline

Chapter 1: Fundamentals of the PDPA (2020) – A Brief Recap

1.1 The DP provisions in the Personal Data Protection Act

  • Amendment Bill effective 1st February 2020

1.2 The eleven obligations in the DP provisions

  • Overview of the PDPA 11 Key Obligations and new Obligations (Data Breach Notification and Data Portability)
  • Objectives of the Data Protection Regime
  • Accountability is the fundamental principle
  • Enhanced Consent framework
  • New exceptions (Legitimate Interest, Business Interest and Research & Development) emphasise the importance to enable data use and innovation in a way that is meaningful to the customer

1.3 The Do Not Call (DNC) provisions

  • Prohibition of dictionary attacks and address-harvesting software
  • Liability of third-party checkers of the DNC Register
  • Civil administrative regime for DNC offences

1.4 Appointment and role of a Data Protection Officer

  • Registration of DPOs is a new category as part of companies’ registration with ACRA or other Government registries

Chapter 2: Accountability

2.1 What Accountability means and requires

  • Concept of Accountability (Part III of the PDPA amended)

2.2 Data Protection by Design Approach

2.3 Addressing misconceptions of PDPA compliance

  • Share in brief on some myths and mindsets to overcome

Chapter 3: Overview of the Data Protection Management Programme

3.1 Benefits: Why an organisation should have a DPMP

3.2 Components of DPMP:

  • Governance and Risk: Establishing a governance structure to define values and identify risk with organisational leadership
  • Policy and Practices: Developing a data protection policy with good practices
  • Processes: Designing processes to operationalise policies
  • Review: Detailing steps to keep data protection policy and processes up-to-date with changes in internal and external environments, e.g. regulatory, business and technology
  • Some key steps to developing the DPMP

3.3 Considerations for implementing a DPMP

  • Explain that there is no “one size fits all” approach

3.4 Addressing challenges in implementing DPMP

  • (Discussion) What are challenges you face in implementing DPMP?

3.5 Establishing a Governance Structure

3.6 Getting started with the DPMP

3.7 DPMP with regards to data intermediaries

Chapter 4. Identify and Document Personal Data Handled, Part 1

4.1 Document Data lifecycle – what it is and why organisations need it

  • Run through example of data flow diagram

4.2 How an organisation understands Data Life Cycle

(Hands-On Activity 1) How an organisation understands data life cycle

  • Identify Business Process involving personal data

Chapter 5: Identify and Assess Risks, Part 1

5.1 Introduction to risk and risk management

Share on the principles of:

  • Confidentiality (C): Risk to organisation or individuals arising from unauthorised or inappropriate disclosure
  • Integrity (I): Risk to information quality or corruption
  • Availability (A): Risk to information not being available to intended users

5.2 The place of data classification in risk management

  • Decide what data classifications are appropriate for the personal data your organisation handles and classify the personal data

a) Identify and document risks

b) Classify Data

c) Identify potential risks in data lifecycle

  • Exposure or gaps in each department’s specific processes?
  • Are there any unauthorised disclosure of data?
  • Is there excessive disclosure of personal data?
  • What tools can be used to access areas of risk?
  • E.g. Have we exercised due diligence when selecting a vendor?
  • Is there an adequate contract in place with the vendor?

d) Decide what data classifications are appropriate for the personal data your organisation handles and classify the personal data

e) Go through the considerations and decide what specific actions need to be taken

5.3 Risks relating to the DP and DNC Provisions

  • Examples of instances of non-compliance with the PDPA

5.4 Risk relating to business processes

5.5 Risk relating to data intermediaries (e.g. Outsourced data processing)

5.6 Risks relating to electronic processing of personal data (e.g. Are there safeguards in place?)

  • Some causes of cyber security incidents or personal data breaches
  • Difference between cyber security incident and personal data breach

(Hands-On Activity 1 - continuation)

5.7 Seven common mistakes made by organisations

Chapter 5: Identify and Assess Risks, Part 2

5.8 Assessing / measuring risks and ranking them – risk rating/scoring

  • Assess, measure risks, prioritise top 5 risks
  • Issues, vulnerabilities and weaknesses
  • Apply the Risk Assessment Framework to the risks you have identified both at the overall organisation level and at the department level
  • Qualitative or Quantitative Approach

5.9 Next steps after ranking risks - reporting to senior management

  • How would you report your findings to senior management?

Certificate Obtained and Conferred by

  • Certificate of completion from NTUC LearningHub

Upon meeting at least 75% attendance and passing the assessment(s), participants will receive a Certificate of Completion from NTUC LearningHub.


Upon successful completion of the course, participants will receive the WSQ Statement of Attainment (SOA) issued by SkillsFuture Singapore.

Candidate who successfully completed the course with:  

  1. 75% attendance  
  2. Pass the assessment (Pass rate: 70%) 

will be awarded NTUC LearningHub Certificate of Completion

Additionally, there is an optional computer-based examination that participants can take after the completion of their course to obtain the Practitioner Certificate for Personal Data Protection (Singapore), co-issued by the PDPC and the International Association for Privacy Professionals (IAPP).


Conditions to be fulfilled in order to obtain the certificate

  1. Candidates must complete the "Practitioner Certificate in Personal Data Protection(Singapore) 2020" preparatory course
  2. Take the computer-based examination within six months of attending the preparatory course
  3. Pass the computer-based examination by attaining a score of at least 70%

More information about the computer-based examination

  • Format: Candidates will be given two hours to complete the computer-based examination comprising 50 multiple-choice questions
  • Fee: $53.50 (Inclusive of GST)
  • Registration: Click on the "Register for Examination" Link
  • You must complete the “Practitioner Certificate in Personal Data Protection (Singapore) 2020” preparatory course with any of the PDPC’s appointed training providers and have obtained the Course Completion Certificate for this course. You must then take the examination within 6 months of completing this preparatory course.
  • Registration for the examination after the 6 months period will be considered on a case-by-case basis. You may submit a request with valid reasons to NTUC LearningHub at [email protected] for their assessment.

Is there a validity period that I should take note of for the Practitioner Certificate in Personal Data Protection (Singapore) 2020?

  • There is no expiry for the Practitioner Certificate in Personal Data Protection (Singapore) 2020.

Is there a cap/limit to the number of attempts to sit for the examination?

  • There is no cap/limit to the number of attempts that each candidate may undertake to meet the passing criteria. Please note that a full examination fee applies for each attempt.

Additional Details

Medium of Instruction and Trainer
Medium of Instruction: English
Trainer: Trainee ratio is 1:20

Courseware: Online access provided on Canvas + Physical copy (for local use only)


Course Fee and Government Subsidies


Individual Sponsored 

Company Sponsored 




Before GST 

After GST 

Before GST 

After GST 

Before GST 

After GST 

Full Course Fee
(For Foreigners and those not eligible for subsidies)







For Singapore Citizens aged 39 years and below
For all Singapore Permanent Residents
(The minimum age for individual sponsored trainees is 21 years)







For Singapore Citizens aged 40 years and above







*After 70% ­­­­funding for SME-sponsored Singaporeans and PRs under Enhanced Training Support for SMEs (ETSS) scheme

Funding Eligibility Criteria:

Individual Sponsored Trainee 

Company Sponsored Trainee 

SkillsFuture Credit: 

  • Eligible Singapore Citizens can use their SkillsFuture Credit to offset course fee payable after funding.


  • This course is eligible for Union Training Assistance Programme (UTAP).
  • NTUC members can enjoy up to 50% funding (capped at $250 per year) under UTAP. 


  • To check for Post-Secondary Education Account (PSEA) eligibility for this course, visit:
    Skills Future (TGS-2022017633) for Virtual Learning Class (VLC)
    SkillsFuture (TGS-2022015820) for Face-to-Face class
  • Scroll down to “Keyword Tags” to verify for PSEA eligibility. 
  • If there is “PSEA” under keyword tags, the course is eligible for PSEA.  
  • And if there is no “PSEA” under keyword tags, the course is ineligible for PSEA. 
  • Not all courses are eligible for PSEA funding.

Absentee Payroll (AP) Funding: 

  • $4.50 per hour, capped at $100,000 per enterprise per calendar year.
  • AP funding will be computed based on the actual number of training hours attended by the trainee.
  • Note: Courses / Modules under Professional Conversion Programme (PCP) will not be eligible for AP funding claim. 



Terms & Conditions apply. NTUC LearningHub reserve the right to make changes or improvements to any of the products described in this document without prior notice.

Prices are subject to other LHUB miscellaneous fees.

What Others Also Enrolled In