Data Protection 101: why data privacy and DPOs matter


What is data protection?

The concept of data protection encompasses the collection, usage, storage of personal information, as well as disclosure or transfer of personal data (or CUDS in short). The digital age of today has made personal data the lifeblood of businesses and the economy as people freely share data and information on a daily basis. To prevent unauthorised use of the personal information of individuals by organisations, data privacy laws were introduced in many jurisdictions worldwide e.g., Europe’s General Data Protection Regulation (EU GDPR), Singapore’s Personal Data Protection Act (PDPA), the Philippines’ Data Privacy Act (DPA) and Malaysia’s Personal Data Protection Act (PDPA).

Data protection laws require organisations that handle personal data to demonstrate accountability and responsibility. To be operationally compliant with the laws, organisations should have a data protection management programme (DPMP) in place to translate the requirements of the law into their business practices.

What does a data protection officer (DPO) do?

A Data Protection Officer (DPO) is essential in today’s environment as digitalisation has made it convenient for organisations to collect and analyse data for various business purposes. However, this convenience has brought about vulnerabilities and risks that may not be factored in the organisation’s overall governance, risk management and compliance strategy.

The main responsibility of the DPO is to assist the organisation to govern how personal data is being collected, used, disclosed, or stored within an organisation according to the requirements of the data protection laws. If there are gaps in the operations that are processing personal data, the DPO works with the relevant departments to ensure that there are adequate controls to mitigate the risks and rectify the gaps. They also work with the relevant departments to ensure that the organisation's privacy policy and data protection training is updated and communicated to staff.

What qualifications do you need to be a DPO?

The data protection laws of many countries require organisations handling personal data to demonstrate accountability and responsibility. Although a DPO need not be a trained legal professional, they are expected to have sufficient data protection knowledge and assist the organisation to be operationally compliant by implementing good data protection practices within the organisation’s business processes.

If you would like to learn more about data protection and become a qualified DPO, sign up for our Advanced Certificate in Data Protection Operational Excellence or check out our articles below to find out more on the best choice for your DPO journey:

What organisations need to have a DPO?

All organisations that handle personal data - including employee’s personal data needs to have a DPO.

Other than that, the pandemic has turbocharged the digital transformation for many organisations. Companies were forced to adapt to the wave of change in delivering products and services, as well as adapt to the new remote working concept. However, digital transformation comes with digital risks and vulnerabilities - both from a security and a privacy perspective. A DPO can help the organisation to transition through the change and ensure that new data protection measures are implemented to address these new risks.

A yearly data protection trends forecast is released by DPEX Network based on research for people in the data protection industry to get a taste of the data protection landscape in the coming year. DPOs and organisations can use this to better understand the data protection and privacy challenges that may arise and plan for the year ahead.

Can the duties of the DPO be outsourced?

“You can delegate the task, but not the responsibility.”

Resources at the company may be stretched thin by the pandemic and therefore outsourcing a DPO may be considered. However, they should be mindful that the role of the DPO can be outsourced but the responsibility and accountability to their stakeholders still lie with them.

What is Data Protection-as-a-Service (DPaaS)?

Effective data protection practices enhance customer trust and maximise a businesses' value. Hence, the Infocomm Media Development Authority (IMDA) introduced the DPaaS@SMEs programme to aid SMEs in basic data protection functions within the organisation’s processes and strengthen their overall data protection capabilities.

DPaaS can be an integrated bundle of data protection services that enable organisations to train their DPO and set up a Data Protection Management Programme (DPMP) with the data breach management function included. It could also include outsourced advisory support towards operational compliance with data protection requirements.

Keep a lookout and join us in our regular data protection webinars where we bring professionals in our data protection community together to discuss, share and learn insights to drive data protection excellence within organisations.

This article was updated on 1 October 2021.

Just one more step! We've sent an email to .
Please check your inbox or spam and open it to activate your account.

Related Articles