Issues and Challenges faced by Data Protection Officers in Singapore (Part II)


Findings from the Survey on DPOs in Singapore 2020 

In a continuation of analysing the issues and challenges that DPOs face, we find that the challenges have an effect on the organisation and how qualified the DPOs are affected the vulnerability of the organisation to a data breach.   


In part I of this article, it was found that many of the DPOs are “double-hatting” leading to the question on whether they have sufficient bandwidth to be properly trained or to do a proper DPO job.  90% of the DPOs indicated they spend less than 50% of their time in data protection related work and not surprisingly, the top-most challenge faced by DPOs face the challenge of having sufficient bandwidth to do a proper DPO job.  If we break down the different types of DPOs, we can see that the largest group, the DPOs whoo Double-Hat with Other Functions do not have sufficient bandwidth/time to do a proper DPO job. 

With the data protection given nominal attention, it leads to various challenges faced by DPOs in managing and operationalising a data protection programme. We can see from Table 1 that those who “Double-Hat” and Legal Counsel who act as DPOs have insufficient bandwidth/time to do a proper DPO job.

Table 1: Challenges faced by various types of DPOs

Dedicated DPODouble-Hat with other functionsLegal Counsel/DPO
1Coordinating compliance across multiple stakeholders and departmentsHaving sufficient bandwidth/time to do a proper DPO jobCoordinating compliance across multiple stakeholders and departments
2Implementing Data Protection policiesImplementing Data Protection policiesHaving sufficient bandwidth/time to do a proper DPO job
3Getting support from Senior ManagementConducting the Data Protection Impact Assessment (DPIA)Conducting the Data Protection Impact Assessment (DPIA)
Co-operation from department heads to form the Data Protection TeamCoordinating compliance across multiple stakeholders and departmentsGetting support from Senior Management
Drafting policies and standard operational proceduresCo-operation from department heads to form the Data Protection TeamImplementing Data Protection policies

Coupled with the lack of time is the lack of experience. Most of the DPOs have less than two years of experience.

Table 2: Years of Experience in DPO Job

No. of year(s) in jobDPO – Double-hattingDPO – DedicatedDPO – Legal Counsel
<1 year53%33%34%
1-2 years33%33%48%
3-5 years9%13%14%
5-7 years3%7%0%
>7 years1%13%3%
Grand Total100%100%100%

About one in five of those involved in DP work responded that their organisation experienced some kind of data incident/breach in the last 36 months.   This indicates that Singapore organisations are relatively safer than other global organisations.  According to a study by the Ponemon Institute (by IBM) in 2019, companies have almost a 30% chance of experiencing data breach within 2 years.  Despite that, this is still a matter of concern as it poses a significant risk to the organisation.

The lack of experience may be mitigated by training.  This can be inferred from the result of the survey where the incidence of breached experienced by trained DPOs is half of the organisation managed by untrained DPOs; i.e. DPOs who are untrained are twice as likely to experience a data breach.  

Given the growing trend for online transactions, work and learning, exacerbated by the pandemic, it is inevitable that data protection will become a requirement that is an integral business and life.  As more countries enforce data protection law (e.g. Brazil brought forward the implementation of its laws), the need for DPO and for DPO to continually maintain the relevance and upgrade of their skill will be inevitable.


The challenges faced by DPOs in Singapore are many fold – from not taking on multiple roles to the lack of experience. The findings indicate that the challenge of holding on to multiple roles is also inhibiting the DPOs in managing the data protection programme effectively.

Further factors that reduce the effectiveness of the DPO is the lack of support from having a data protection committee (as outlined in Part I) and the lack of experience.

The findings also indicate that DPOs who are untrained are significantly more likely to experience a breach, exposing the organisation to greater risk.

With the proliferation of online transactions, work and learning and expansion of data protection enforcement, it is impending that the data protection industry will see an increase in demand for data protection training, consultancy and outsourced data protection service.

Click here for Part I outlining the profile of DPOs

Click here to know about the learning journey roadmap of a DPO.

Written by Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.

Just one more step! We've sent an email to .
Please check your inbox or spam and open it to activate your account.

Related Articles