90% FIRST DRAFT
This DIM draft covers 13 processes across 8 departments, generated from your 10 survey answers. Industry template provides ~60%, survey enrichment ~25%, auto-rules ~10%. The remaining ~5-10% needs your review and confirmation.
KEY RISK: s26 CROSS-BORDER
Your survey indicates data transfer to Malaysia. Under PDPA section 26, you must ensure comparable protection in the receiving country. This affects all processes using cloud storage providers (AWS, GCP, Azure) if data is processed or stored on Malaysian servers. Review each process that uses cloud storage and confirm the actual data residency.
KEY RISK: NRIC COLLECTION
7 of your 13 processes involve NRIC data. Under PDPA section 18, NRIC collection requires explicit consent โ deemed consent is NOT sufficient. Ensure all NRIC collection points have clear, specific consent mechanisms. This is Singapore's #1 PDPA enforcement trigger.
HRP&CExpress (job application form)๐ข Template
Data Subject
Job Applicants
Collection Purpose
Employment evaluation and selection
Retention
1 year (unsuccessful), 3 years (shortlisted)
Personal Data Types
Name, NRIC, nationality, address, contact, education, work experience, expected salary
Collection Source
Job portal, website, email
Collection Medium
Online form, email, physical form
Physical Storage
HR room (restricted access)
Electronic Storage
HRIS, cloud storage, email server
Internal Users
Hiring managers (evaluation), HR (processing), Management (approval)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
Physical collection โ notify at point of collection
s11: Multiple third-party transfers
HRP&CDeemed contractual (employment)๐ข Template
Collection Purpose
Employment onboarding and administration
Retention
Duration of employment + 5 years
Personal Data Types
Name, NRIC, FIN, contact, bank account, medical, emergency contact, education credentials
Collection Source
Employee, government portals
Collection Medium
Physical form, in-person, online form
Physical Storage
HR room (restricted access)
Electronic Storage
HRIS, cloud storage
Internal Users
HR (administration), Management (oversight)
External Parties
Cloud storage provider, payroll processor, insurance provider
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
Physical collection โ notify at point of collection
s11: Multiple third-party transfers
HRP&CDeemed contractual (employment)๐ข Template
Collection Purpose
Performance evaluation and career development
Personal Data Types
KPI, performance score, disciplinary record, attendance, NRIC
Collection Source
HRIS, manager input
Collection Medium
Online form, in-person
Physical Storage
HR room (restricted access)
Electronic Storage
HRIS/PMS portal
Internal Users
Hiring managers (evaluation), HR (processing)
External Parties
Cloud storage provider
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
s11: Multiple third-party transfers
HRP&CDeemed contractual (employment) + Legal obligation (IRAS)๐ข Template
Collection Purpose
Salary disbursement, statutory contributions, benefits administration
Retention
5 years (regulatory)
Personal Data Types
Name, NRIC, bank account, salary, CPF, tax, leave records
Collection Source
Employee, government portals, HRIS
Collection Medium
Online form, in-person
Electronic Storage
HRIS, payroll system, cloud storage
Internal Users
HR (processing), Finance (reporting), Management (oversight)
External Parties
Payroll processor, bank/payment processor, insurance provider, IRAS
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
s11: Multiple third-party transfers
Sales/MarketingConfidential & SensitiveDeemed by conduct (contractual)๐ข Template
Data Subject
Customers/Consumers
Collection Purpose
Course enrolment and order fulfillment
Data Owner
Sales/Marketing
Retention
Duration of relationship
Personal Data Types
Name, email, phone, address, payment info, course preferences
Collection Source
Website, mobile app, in-person
Collection Medium
Online form, mobile app, in-person/over the counter
Physical Storage
Enquiry counter (restricted access)
Electronic Storage
CRM, database, cloud storage
Internal Users
Sales team (processing), Customer Service (support), Management (oversight)
External Parties
Cloud storage provider, bank/payment processor, IT vendor
PDPA RISK FLAGS
s11: Multiple third-party transfers
Sales/MarketingConfidential & SensitiveExpress (marketing consent)๐ข Template
Data Subject
Customers/Consumers
Collection Purpose
Course promotion and marketing outreach
Data Owner
Sales/Marketing
Retention
2 years (marketing data)
Personal Data Types
Name, email, phone, age, course preferences, DNC status
Collection Source
Website, CRM
Collection Medium
Online form, email
Electronic Storage
CRM, cloud storage
Internal Users
Marketing team (campaign execution)
External Parties
Cloud storage provider, marketing agency
PDPA RISK FLAGS
s14: Express consent required for marketing
s11: Multiple third-party transfers
Customer ServiceConfidentialDeemed by conduct (service inquiry)๐ข Template
Data Subject
Customers/Consumers
Collection Purpose
Customer support and issue resolution
Data Owner
Customer Service
Personal Data Types
Name, email, phone, enquiry details, account reference
Collection Source
Website, phone, in-person, email
Collection Medium
Online form, phone call, email, in-person/over the counter
Physical Storage
Service counter (restricted access)
Electronic Storage
CRM, cloud storage, email server
Internal Users
Customer Service (resolution), Management (escalation)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s11: Multiple third-party transfers
Customer ServiceConfidential & SensitiveDeemed by conduct (service complaint)๐ข Template
Data Subject
Customers/Consumers
Collection Purpose
Complaint resolution and service improvement
Data Owner
Customer Service
Retention
12 months post-resolution
Personal Data Types
Name, contact, complaint details, order reference, resolution notes
Collection Source
Website, phone, in-person, email
Collection Medium
Online form, phone call, email, physical form
Physical Storage
File cabinets (locked)
Electronic Storage
CRM, complaints database (encrypted), cloud storage
Internal Users
Customer Service (resolution), Management (escalation), HR (if staff-related)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
Physical collection โ notify at point of collection
s11: Multiple third-party transfers
ITP&CDeemed contractual (employment)๐ข Template
Collection Purpose
IT account provisioning and access management
Retention
Duration of employment
Personal Data Types
User ID, password (hashed), email, name, access level, NRIC
Collection Source
HR system (onboarding trigger)
Collection Medium
Automated system
Electronic Storage
Active Directory, email server, cloud storage
Internal Users
IT (administration), HR (oversight)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
s11: Multiple third-party transfers
OperationsP&CDeemed by conduct (service delivery)๐ข Template
Data Subject
Customers/Consumers; Employees
Collection Purpose
Course scheduling and operational coordination
Retention
Duration of relationship
Personal Data Types
Name, contact, schedule, attendance, course allocation, NRIC
Collection Source
Website, CRM, in-person
Collection Medium
Online form, mobile app, in-person
Physical Storage
Office (restricted access)
Electronic Storage
Scheduling system, CRM, cloud storage
Internal Users
Operations (scheduling), Sales (customer queries)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
s11: Multiple third-party transfers
ManagementP&CLegitimate interests (business operations)๐ข Template
Data Subject
Customers/Consumers; Employees
Collection Purpose
Strategic planning and business analytics
Personal Data Types
Aggregated/sales data, KPIs, attendance trends, financial summary, NRIC
Collection Source
CRM, HRIS, financial systems
Collection Medium
Automated aggregation
Electronic Storage
Business intelligence system, cloud storage
Internal Users
C-suite (decision making), Management (oversight)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s18: NRIC โ explicit consent mandatory
P&C data โ 3-day breach notification
s11: Multiple third-party transfers
ProcurementConfidentialDeemed contractual (vendor agreement)๐ข Template
Data Subject
Business Partners/Vendors
Collection Purpose
Vendor evaluation, procurement and contract management
Retention
5 years (contract duration)
Personal Data Types
Company name, contact person, contract details, payment terms, procurement records
Collection Source
Vendor, website, email
Collection Medium
Online form, email, physical form
Physical Storage
Filing cabinets (locked)
Electronic Storage
Procurement system, cloud storage, shared drive
Internal Users
Procurement (evaluation), Finance (payment), Management (approval)
External Parties
Cloud storage provider, IT vendor, bank/payment processor
PDPA RISK FLAGS
Physical collection โ notify at point of collection
s11: Multiple third-party transfers
R&DConfidentialExpress (research consent) + Legitimate interests๐ข Template
Data Subject
Customers/Consumers
Collection Purpose
Product improvement and course development research
Retention
2 years (research data)
Personal Data Types
Usage data, feedback, preferences, anonymised learning analytics
Collection Source
Mobile app, website
Collection Medium
Mobile app, online form
Electronic Storage
Analytics platform, cloud storage, database
Internal Users
R&D (research), Management (strategic review)
External Parties
Cloud storage provider, IT vendor
PDPA RISK FLAGS
s11: Multiple third-party transfers