A Seasoned Data Protection Officer Shares Her Tips for Success

Ann Tan at the 2023 SMU-DPEX Network Masterclass 

Ann Tan spoke to DPEX Network previously about her journey as a Data Protection Officer. Straits Interactive has been her DPO training partner of choice from Day One of her DPO journey.

Today, she is the Head of Compliance & Data Protection Officer at PAFA Financial Advisory Pte Ltd, and her journey has certainly taken her far. We caught up with her again and she shared her views on how her journey has been.

     1. In your 8-year journey, how do you feel your role as a DPO has changed?

When I first started in 2015, it was a simple task of finding out about the PDPA and the role of the Data Protection Officer. It was about how we collect, use, store, protect and dispose of personal data.

Over the years, new legislations, amendments, and changes to requirements have made the depth of knowledge and skills even greater. We are now seeing a shift to Data Governance beyond just Data Protection. New technology such as Artificial Intelligence, ChatGPT, FinTech, and the Internet of Things, among others, all heavily rely on the processing of personal data.    

My role has expanded and become more challenging due to the following:

a)  I am responsible for ensuring compliance with data protection regulations in Singapore. I must always stay vigilant and up to date with the latest developments to ensure that I develop and implement policies and processes based on current regulation requirements.

b)  I play a crucial role in identifying risks related to personal data and if needed, alert my Management on the potential risks and work to mitigate them.

c)  I believe that as a DPO, I play a part in assisting my Management with fostering a data protection culture among employees, emphasising the importance of safeguarding personal data. I am responsible for communicating data protection policies to employees and stakeholders, conducting DPO training sessions on my policies across business units.

d)  I am the first point of contact with the relevant authorities, such as the Personal Data Protection Commission, on data protection matters when necessary.

    2. You were promoted three times since you became DPO. What are some pivotal moments in your career that facilitated this?

I got very interested in Data Protection, and that led me to attain my numerous certifications, all conducted by Straits Interactive such as IAPP Certified Information Privacy Manager (CIPM), IAPP Certified Information Privacy Professional / Asia (CIPPA), SMU Advanced Diploma in Data Protection, OCEG Certified GRC Professional and OCEG Integrated Data Privacy Professional (IDPP). I am also an IAPP Fellow of Information Privacy (FIP), among other qualifications.

In 2018 & 2019, I assisted PDPC in an investigation involving one of our FA Representatives. I was able to provide the PDPC Regulators the necessary policies and supporting documents, such as training attendance, training slides, etc. and was able to convince the Regulators that the fault did not lie with my previous company. As an organisation, we had done what was required and the Regulators accepted our explanation. My previous company was not faulted but the FA Representative was fined. This incident gave my Management the confidence that they had appointed the correct person to take on the role. It also led to my promotion. For me, this incident also gave me a greater insight on how PDPC conducted their investigations and what are the documents they looked for. It also boosted my confidence in my capabilities that I can handle this role and take it even further.

 3. What is your advice to new DPOs who want to advance their careers? 

I strongly encourage and recommend that they attend the relevant courses with Straits Interactive, starting with the 3 days Hands-On Data Protection Officer (DPO) training. By attending such courses, it will enhance their knowledge, understanding and skills set. With our extensive government subsidies, especially those who are 40 years & above, we should seriously tap on these funding to attend these courses. Trust me, this is a good investment, and they will not regret attending them. The training is very proactive, and the trainers are very knowledgeable, and they share real-life examples on breaches and enforcement cases.

Even after getting the relevant certifications, Data Protection Officers must use what they have learnt and apply to their work. They should continuously keep themselves informed on what is happening within Singapore and across the world as well, such as by attending webinars. Check out the PDPC website and Straits Interactive’s Data Protection Excellence Network (DPEX) regularly. They may find guidelines, articles, events and resources that can relate to their respective organisations. 

Learning never stops. You are never too old to learn new things.

 4. You said that collaboration and communication are critical in ensuring comprehensive data protection measures. How do you foster a culture of compliance and data protection within your organization, encouraging active participation and awareness among employees at all levels?

We have our Data Protection committee in place. The committee consists of our Management and Heads of Department. We worked together to ensure that we:

(a)  meet regularly to discuss our respective departments’ issues and concerns and how to handle them.

(b)  conduct training to create awareness and to ensure that all staff and stakeholders are aware of our policies and where they can find the updated policies. The DPO training is done on an annual basis or as and when the need arises. If the changes are not major, communications will be via email.  

(c)  in the event should a breach happen, the committee members will be activated to assist in their respective areas. After each breach, a briefing will be conducted to review how the breach happened,what needs to be done  and implemented to ensure that such incidents do not happen again.

 5. Considering the rapidly changing landscape of data privacy, for eg, with the emergence of Gen AI use in the workplace, what proactive measures do you believe organisations should adopt to stay abreast of emerging data protection risks? 

When we experienced COVID-19 pandemic, it accelerated the need for business operations to grow more digitally reliant and driven.

As we grow and become more interconnected, privacy, data protection and data governance measures have become a paramount consideration for business organisations in response to ensuing frequent and highly publicised data breaches.

Given our current pace of technological advances and innovation, which is expected to continue, it is important for organisations to understand the security safeguards and regulations to put in place to protect our privacy and data.

It is also important for organisations to be mindful of relevant legislation, laws, and regulations on the horizon to address the pressing privacy and data challenges facing business operations everywhere, not just in Singapore.

Watch Ann share about her journey here: