The global pandemic has sped up the process of digitalisation and transformed the landscape of the economy. Unfortunately, the recession and shrinking market have caused many to lose their means of livelihood. Many businesses are adapting to online transactions and digital solutions as part of their effort to survive. In the bid to quickly digitalise their business, they may neglect efforts to build data protection aspects into their operational controls. Hackers and other malicious agents wait for an opportune time to take advantage of these situations and steal customer or employee data from these businesses. Under this situation, a career that is quietly but surely on the rise is the Data Protection Officer (DPO).
The tasks of a Data Protection Officer (DPO) can be summarised into the acronym G-A-P-S-R:
First and foremost, a DPO’s task is to assist the organisation to govern how personal data is being collected, used, disclosed, or stored within an organisation according to the requirements of the Personal Data Protection Act and relevant data protection laws.
From an operational perspective, the responsibilities of the DPO are to:
Assess the risks relating to the processing of personal data and this includes conducting a data protection impact assessment (DPIA).
Protect the organisation by developing a data protection management programme (DPMP) against these identified risks. This includes implementing policies and processes for handling personal data.
Sustain the above compliance efforts by communicating personal data protection policies to stakeholders including training; conducting audits as well as ensure the ongoing monitoring of risks.
Respond and manage personal data protection related queries and complaints as well as liaising with the data protection regulators (local and/or international) on data protection matters, especially if there is a data protection breach.
Under the Personal Data Protection Act (PDPA), each organisation in Singapore is required by law to designate at least one individual as a DPO. All firms in Singapore need to ensure that personal data of both external and internal stakeholders, such as customer and employee data are protected. The Data Protection Officer role is defined in the PDPA as an individual who is designated to oversee the data protection responsibilities within the organisation and ensure compliance with the law. Countries in ASEAN have started to legislate laws that protect personal data in response to the requirement set by the more matured markets. Many model after the European Union which enforce the General Data Protection Regulation (GDPR). The regulation stipulates that the data protection officer (DPO) has an enterprise security leadership role that requires the DPO to assist the organisation to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
All organisations will more than benefit from hiring a DPO. The first important benefit of hiring a DPO in an organisation is to mitigate the risk of the organisation from having a data protection breach and to demonstrate that the organisation is accountable and responsible for the personal data that it handles. A DPO can formulate a DPMP and Data Breach Management Plan which will be helpful in demonstrating that due diligence has been undertaken.
In Singapore, the new amendment in the PDPA will soon require organisations to report a breach within three days, which is a similar requirement to the GDPR.
In addition, DPOs can guide the organisation in attaining the required data protection standards, for example, the Data Protection Trustmark (DPTM) in Singapore. Through working with the various departments, they would be able to have a data map, identifying gaps and assess the risks as well as recommendations to minimise the risks - actions and plans that would help fulfil the DPTM requirements as well.
A good DPO needs to be versatile and have several skill-sets. The scope listed by the Singapore PDPC includes to:
While a DPO requires specific knowledge and skill in data protection, they will also need the soft skills that enable them to work with others as a facilitator/manager of a team. This comes with working experience which would include:
Additionally, knowledge is crucial to understanding the global privacy standard. It is important that DPOs should also go for regular training and attain internationally recognised certifications like the Certified Information Privacy Professional - Asia (CIPP/A), Certified Information Privacy Professional - Europe (CIPP/E), Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPT). This ensures that the DPOs are better equipped with the relevant knowledge in data protection to assist them in helping their organisation achieve a global privacy standard.
It is important to ensure your DPO has the tools and resources needed to implement the necessary controls for the organisation. A trained DPO can provide value to the organisation by finding methods to minimise the risk of a data breach and help to sustain a data protection programme within the organisation systematically. From a recent survey by the DPEX Network, it can be inferred that the risks of data breach can be halved if a DPO is trained.
Article contributed by Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP)
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…