What is the role of a Data Protection Officer?

What is the role of a Data Protection Officer?

2 Dec, 2020

Data protection trends and the role of a DPO

The global pandemic has sped up the process of digitalisation and transformed the landscape of the economy. Unfortunately, the recession and shrinking market have caused many to lose their means of livelihood. Many businesses are adapting to online transactions and digital solutions as part of their effort to survive. In the bid to quickly digitalise their business, they may neglect efforts to build data protection aspects into their operational controls. Hackers and other malicious agents wait for an opportune time to take advantage of these situations and steal customer or employee data from these businesses. Under this situation, a career that is quietly but surely on the rise is the Data Protection Officer (DPO).

To learn more about Data Protection and the importance of DPOs in safeguarding personal data, please read our Data Protection 101 guide.

The tasks of a DPO can be summarised into the acronym G-A-P-S-R:

First and foremost, a DPO’s task is to assist the organisation to govern how personal data is being collected, used, disclosed, or stored within an organisation according to the requirements of the Personal Data Protection Act and relevant data protection laws.

From an operational perspective, the responsibilities of the DPO are to:

Assess the risks relating to the processing of personal data and this includes conducting a data protection impact assessment (DPIA).

Protect the organisation by developing a data protection management programme (DPMP) against these identified risks. This includes implementing policies and processes for handling personal data.

Sustain the above compliance efforts by communicating personal data protection policies to stakeholders including training; conducting audits as well as ensure the ongoing monitoring of risks.

Respond and manage personal data protection related queries and complaints as well as liaising with the data protection regulators (local and/or international) on data protection matters, especially if there is a data protection breach.

Under the Personal Data Protection Act (PDPA), each organisation in Singapore is required by law to designate at least one individual as a DPO. All firms in Singapore need to ensure that personal data of both external and internal stakeholders, such as customer and employee data are protected. The Data Protection Officer role is defined in the PDPA as an individual who is designated to oversee the data protection responsibilities within the organisation and ensure compliance with the law. Countries in ASEAN have started to legislate laws that protect personal data in response to the requirement set by the more matured markets. Many model after the European Union which enforce the General Data Protection Regulation (GDPR). The regulation stipulates that the data protection officer (DPO) has an enterprise security leadership role that requires the DPO to assist the organisation to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.  

To learn about data protection laws in selected Asian Countries, click here.


How trained data protection officers on staff can benefit companies

All organisations will more than benefit from hiring a DPO. The first important benefit of hiring a DPO in an organisation is to mitigate the risk of the organisation from having a data protection breach and to demonstrate that the organisation is accountable and responsible for the personal data that it handles. A DPO can formulate a DPMP and Data Breach Management Plan which will be helpful in demonstrating that due diligence has been undertaken.

In Singapore, the new amendment in the PDPA will soon require organisations to report a breach within three days, which is a similar requirement to the GDPR.

In addition, DPOs can guide the organisation in attaining the required data protection standards, for example, the Data Protection Trustmark (DPTM) in Singapore. Through working with the various departments, they would be able to have a data map, identifying gaps and assess the risks as well as recommendations to minimise the risks - actions and plans that would help fulfil the DPTM requirements as well.

A good DPO needs to be versatile and have several skill-sets. The scope listed by the Singapore PDPC includes to:

  • Develop and review a Data Protection Management Programme (DPMP) that covers policy, processes, and people for the handling of personal data at each stage of the data lifecycle.
  • Perform a Data Protection and Impact Assessment (DPIA) to identify, assess and address business risks, based on the organisation’s functions, needs and processes.
  • Develop a training programme to educate staff on personal data protection policies and processes/SOPs
  • Oversee activities to foster personal data protection awareness within the organisation.
  • Enhance compliance processes based on an evaluation of gaps in business operations and data protection requirements, and clarify on ethically questionable situations at various stages of data or information life cycle.
  • Facilitate the implementation of data innovation by translating the user’s privacy and personal data protection requirements into a data-driven design thinking process.


The skillset involved in understanding and implementing a global privacy standard

While a DPO requires specific knowledge and skill in data protection, they will also need the soft skills that enable them to work with others as a facilitator/manager of a team. This comes with working experience which would include:

  • Understanding of the organisation’s operations and business processes as it relates to processing or C-U-D-S (Collection, Use, Disclosure/Transfer, Storage/Disposal) of personal data.
  • Knowledge of data protection/privacy laws, including drafting of privacy policies, technology provisions and outsourcing agreements
  • Appreciation of IT systems, especially in the areas of security and privacy standards
  • Understanding of auditing, attestation audits and the assessment and mitigation of risk
  • Leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects
  • Negotiation skills to interface successfully with Data Protection Authorities/regulators
  • Able to manage client/customers (members of the public)/internal stakeholders relationship to continuously coordinate with regulators, internal business units and processors while maintaining independence
  • Demonstrated communication skills to speak with a wide-ranging audience, from the management to individuals (data subjects), from managers to IT staff and lawyers
  • Being a self-starter with the ability to gain required knowledge in dynamic environments  

Additionally, knowledge is crucial to understanding the global privacy standard. It is important that DPOs should also go for regular training and attain internationally recognised certifications like the Certified Information Privacy Professional - Asia (CIPP/A), Certified Information Privacy Professional - Europe (CIPP/E), Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPT). This ensures that the DPOs are better equipped with the relevant knowledge in data protection to assist them in helping their organisation achieve a global privacy standard.

It is important to ensure your DPO has the tools and resources needed to implement the necessary controls for the organisation. A trained DPO can provide value to the organisation by finding methods to minimise the risk of a data breach and help to sustain a data protection programme within the organisation systematically. From a recent survey by the DPEX Network, it can be inferred that the risks of data breach can be halved if a DPO is trained.

Click here to have an overview of learning and development for DPOs.

Click here to assess what learning and development is required for you/your DPO.

Article contributed by Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP) 

Updated on 13 October 2021

Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
Heightened Demand for Data Protection expertise

Well, this was going to happen at some point in time in the world - with the ex…

Recommendations of Public Sector Data Security Re…

In the wake of major breaches, the Public Sector Data Security Review Committee…

Compliance Trends you better leave behind in 2019

Now that we are starting a new year, we can reflect on a few compliance trends …