Since the Singapore PDPA came into effect organisations have been required to appoint at least one individual, generally known as a Data Protection Officer (DPO), to be responsible for personal data in the possession of the organisation or under its control as well as to be the designated business contact between the organisation and the public.
Using an online survey, DPEXNetwork conducted a study with the objective to understand the challenges faced by the DPOs. It collected responses from 3rd March to 8th June 2020.
Beside DPOs, some of the respondents were not officially designated DPOs but who were involved in, or have keen interest in, data protection work or were taking training to advance themselves in a data protection career. The implication is that there is a pool of potential data protection officers training and entering the profession.
Of the respondents who are appointed as DPOs, only 12% are dedicated DPOs. The remaining 88% of respondents are “double-hatters” with other responsibilities and/or they hold a legal counsel role in the organisation. That only 12% of respondents are dedicated DPS suggests that many organisations could and should pay more attention to the role of a data protection officer.
The other portfolios they hold concurrently with their DPO roles include:
The most common concurrent role is Business Process/Continuity. This is in line with the common perception that data protection is related to Business Continuity Management (BCM, which may not be wrong as long as there is accountability from the organisation.
Due to their multi portfolio roles, nine in 10 of the designated DPOs (who double-hat their roles) spend less than half their time on data protection related work and this may affect the effectiveness of their data protection work.
Consistent with the findings that the large majority of organisations do not have dedicated DPOs, the survey also found that most organisations do not have a dedicated data protection committee (working group). As the Personal Data Protection Commission invariably looks at business practices and SOPs in both its guidance on Data Protection Management Programmes and in investigations, organisations need to to form a committee (working group) co-ordinated by the DPO and comprising the business ‘owners’ of personal data - that is, the heads of the organisation’s various departments that collect, use or disclose personal data. In this way, the organisation can effectively manage its data protection programme.
In the absence of a committee (working group) comprising individuals responsible for collecting, using or disclosing personal data in their areas of business responsibility, the DPO is severely hampered from working effectively and the organisation may well fail in its data protection efforts.
Not surprisingly, the biggest challenge reported by DPOs or those working in the data protection field is having insufficient bandwidth to do a proper DPO job. Logically, therefore, they face significant difficulty in developing and implementing data protection policies and practices/SOPs and in conducting DPIAs. These tasks, which are not in any way optional, require investing a fair amount of time and attention from the DPO in co-ordinating the activities of the business ‘owners’ of personal data to achieve effective outcomes that support business processes effectively and efficiently.
Perhaps due to the lack of bandwidth or perhaps due to a focus by the business ‘owners’ of personal data - or a combination of both factors - a high percentage of those involved in DP work responded in the survey that their organisation experienced some kind of data incident/breach in the last 36 months.
Written by Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
Well, this was going to happen at some point in time in the world - with the ex…
Now that we are starting a new year, we can reflect on a few compliance trends …
The initial years of computerisation and digitisation has enabled businesses to…