Is there a shortage of talent in the data protection profession?

With the increase in online transactions and WFH (work from home) arrangements, the pandemic has merely catalysed the growth in the demand for data protection profession and cybersecurity professions that was already happening in the increasingly digitised economy.

What are the signs that point to that? The main signs or reasons are:

New Data Protection Laws, especially in the ASEAN region.

Besides the European Union, which has the General Data Protection Regulation(GDPR), three ASEAN countries - Singapore, Malaysia and the Philippines - have got relatively new data protection laws in force. New data protection laws are expected to be in force in Thailand and Indonesia next year. Outside ASEAN, new data protection laws are expected in India and China, two of the most populous countries in the world, in 2021.

Appointment of a data protection officer to safeguard personal data within an organisation.

Compliance with any law always requires senior leadership within an organisation - tone at the top. In addition, it always requires assignment of responsibility for getting compliance frameworks in developed and implemented and then monitored and maintained. That person might be called a data protection officer or they might have some other job title. The point is that they need data protection, including cybersecurity, expertise.

Data breach notification requirements in the data protection laws.

Mandatory notification of data breaches is increasingly common. If there is a cyberattack within an organisation in Singapore at present, organisations are encouraged to report it to the regulator. With the changes to the PDPA passed by Parliament on 2 November, notification to the regulator within three calendar days is mandated.

The above factors require trained personnel, especially data protection officers and professionals besides just cybersecurity talents. The bigger shortage is in data protection which covers the rules that govern how personal data is collected, used, disclosed/transferred and stored/disposed of. While cybersecurity focuses more on the IT systems level, data protection is holistic and covers the handling of personal data end-to-end - from creation to disposal - at the policy, people and process level, besides just IT systems.

Findings from the IAPP

The International Association of Privacy Professionals (IAPP), estimated there would be 75,000 DPO jobs worldwide just for the EU GDPR requirements alone. However, as the EU encourages its trading partners to adopt similar laws, countries that want to remain as trusted trading partners are implementing similar data protection laws. Some jurisdictions (for example Singapore and the Philippines) mandate the appointment of a DPO - but as we mention above, even where there is no mandate the same expertise is required in practice.

Findings from Singapore PDPC

In a 2019 industry survey by Singapore’s PDPC, only 66% of businesses acknowledged they have appointed a DPO with 40% requiring outsourced data protection services and 51% requiring external service to set up the IT security system.

Findings from DPEXNetwork Study

In a 2020 DPO study conducted by DPEXNetwork, it was found that only 12% of the DPOs are dedicated DPOs, i.e. they have a defined and dedicated responsibility of safeguarding the organisation’s personal data. The majority of DPOs appointed (66%) take on “double-hat” roles. Data protection requirements such as DPO (having a Data Protection Officer), DPMP (Data Protection Management Programme), DPIA (conducting a Data Protection Impact Assessment), Data Flow, DPbD (ensuring products/services have Data Protection by Design) all require specialised expertise therefore creating more demand for DPOs and DP expertise. DPEXNetwork expect to see an acute shortage of DPOs in ASEAN with Singapore anticipated to need about 10,000 by end of 2020/21.

On the supply side, the number of individuals attending data protection certification courses offered by Straits Interactive increased 10-fold in the three years from 2016 to 2019. From a professional certification perspective, Singapore has less than 1000 certified privacy managers (CIPM) which is the worldwide benchmark for a qualified DPO.

In short, yes there is a growing demand for the data protection profession and the gap between demand and trained talent has increased over the recent years.  To further understand development in digitisation, data protection and the "rise of the DPO", one can learn about the trend.

Article contributed by
Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP), Leong Wai Chong (CIPM, GRCP)