PDPA Assessment Tool for Organisations

Select “All” categories if all the obligations are relevant to your organisation.

If not, you may select those which are relevant to your organisation. Most organisations should select at least 9 of the categories above

Select the “Accountability Only” if your organisation does not collect personal data. Personal data includes names of individuals, contact numbers, addresses of stakeholders such as employees, customers, contractors, donors, volunteers etc.

If not, you may select those which are relevant to your organisation. Most organisations should select at least 9 of the categories above

Select “Data Protection Provision” categories if all the obligations are relevant to your organisation, except for the Do Not Call Provisions.

If not, you may select those which are relevant to your organisation. Most organisations should select at least 9 of the categories above

Select the “Do Not Call Provisions” category if only the Do Not Call provisions are relevant to your organisation.

If not, you may select those which are relevant to your organisation. Most organisations should select at least 9 of the categories above

Answer each question with either 'Implemented', 'Partially Implemented', 'Not Implemented', or 'Not Applicable'.

This implies that a particular requirement or initiative has been successfully implemented in your organisation. The term 'success' qualifies that there are policies to support, and processes to implement, and people to carry out personal data protection measures or duties in accordance to the requirement. The particular PDPA requirement that is being assessed has been internalised into your operations and is a way of doing things in your organisation.

This implies that a particular requirement or initiative has been partially implemented in your organisation. The term "partial" could mean a number of things.

Here are some examples:

Policy in place but no processes to support it or operationalise the requirement.
Data Protection measure is practiced in your organisation but has not been formalised into a policy or a standard operating procedure.
Implemented at the main office but the branches have yet to follow suit.

This implies that a particular requirement or initiative has not been implemented in your organisation. This means that there are no policies, no processes and no people/system to support the requirement. Some of this may be in the pipeline and is planned for the future.

This implies that a particular requirement or initiative does not apply to your organisation. For example, if your organisation does not engage in telemarketing, the DNC requirements may not be applicable.

Click 'Hide Details' or 'Show More' to reveal or remove more information about the requirement in the statement.

Describe what you or your organisation has done to be PDPA ready. This includes measures such as policies, procedures, plans, forms, notices, data inventory maps, data flow charts, security measures, training, contract clauses, data protection management programme, consent register, data protection impact assessment, etc.

Get the results at the end of the tool.

Download the PDF report to save a copy of your assessment score. PDPC will not be retaining these scores so please remember to save the report.

Download the 'Action Plan' and 'Implemented Measures' Excel document. You can use this to provide more information on implemented measures or on your plans to develop measures.

Welcome, let's get you started.