What does it take to be a Data Protection Officer?

The data protection laws of many countries require organisations handling personal data to demonstrate accountability and responsibility. This entails having a compliance programme (that includes pre-emptive safeguards as well as risk management) which is commonly known as a data protection management programme (DPMP). Hence, it is the DPO who runs the DPMP in order to sustain the compliance efforts in accordance with the data protection requirements. In countries like Singapore, organisations need to have an appointed DPO. 

Knowledge of the Information Life Cycle

In order to effectively perform the data protection role, the DPO should be aware of how personal data is being collected, used, disclosed, or stored (CUDS) within the organisation’s business processes in order to govern it effectively.

This knowledge is crucial because:

1. there are processing risks at each phase of the information life cycle that needs to be identified.
2. The Personal Data Protection Act or the relevant data protection law governs the CUDS of personal data.

Data protection should be viewed as part of corporate governance, risk management and compliance (GRC), rather than the common misconception that it is just about cybersecurity. Having some knowledge of Information Technology (IT) would definitely be an advantage to perform the DPO role, given how pervasive technology is. However, processing personal data does not just involve technology, but is prevalent in every part of the organisation’s operation: from reception to the paper recycling bin.

Responsibilities of a Data protection officer

So what does a DPO do? First, a DPO must have an understanding of the data protection law (PDPA, DPA, GDPR or jurisdictions in which the organisations operate or trade). The organisation should take time to assess your needs before appointing a person suitable for the role of a DPO. The Singapore Personal Data Protection Commission (PDPC) outlines DPO responsibilities to include¹ but in our experience, they often extend beyond the following:

• Ensure compliance with PDPA when developing and implementing policies and processes for handling personal data;
• Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
• Manage personal data protection related queries and complaints;
• Alert management to any risks that might arise with regard to personal data; and
• Liaise with the PDPC on data protection matters, if necessary.

The DPO can be someone from within your organisation. Larger organisations might appoint someone specifically to take the DPO as their full-time job.  In smaller organisations, it’s more common to see double-hatting - that is, where the responsibilities of a DPO are added to another job role.

In fact, in a survey conducted amongst DPOs in 2020, DPEXNetwork found that 66% of DPOs “double-hat”, many of them in the field of Business Process/Continuity planning and/or Compliance.

Source DPEXNetwork DPO Survey 2020

Skills and Requirements of a DPO

From the requirements (a) and (b), we can understand why the PDPA guidelines recommend the DPO to be of a fairly senior level (from mid to senior management)

"Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives. The DPO will be supported by representatives from various organisational functions." ¹

as he/she will have to understand and have some working knowledge to work with the various business lines.

Secondly, it is apparent that Data Protection work is related to governance, compliance and risk management (GRC), though knowledge of the information systems would be helpful. For instance, the DPO should have some appreciation of issues in information security.

Thirdly, a key responsibility area is to document and implement policies and processes for handling personal data that complies with the requirements of the PDPA or data protection law. Hence, DPOs need to work with business line managers and ensure ongoing operational compliance with the stated policies and processes.

Finally, DPOs may need to wear several hats when performing their roles - compliance, project and risk manager; trainer; counsellor and investigator. They would also need to be able to communicate and liaise with senior management. Hence, the role requires a more experienced working person to be able to work with the various business operational lines and put the data protection knowledge into practical policies and processes.

Do note that the risks associated with processing personal data may be enterprise and industry-specific. Therefore, it is important that the DPO has to be hands-on and be familiar with the company’s business operations and the data handling needs of that specific industry. 

Click here to have an overview of the learning roadmap to be a DPO.

Skill Sets required

In light of the above-listed requirements, what would be the skills required of a DPO? Below is a list of just some of the skill set requirements:

“Hard skills”

• Experience in applying data protection law (familiarity with GDPR would be an added bonus), including drafting of privacy policies, technology provisions and outsourcing agreements. Short of experience, the “hack” to this is to invest time in attending courses and learn from the knowledge/experience of others.
• Some knowledge of IT systems and security including information security standards certifications and data protection seals/marks.
• Familiarity with information systems auditing, attestation audits and the assessment and mitigation of risk

In today’s context, everyone is expected to have knowledge of how data is collected for business operations and/or analytics, which would come with work experience, i.e. it would be difficult for an inexperienced worker to be a DPO.

“Soft skills”

• Demonstrated leadership skills in achieving stated objectives involving a diverse set of stakeholders and managing varied projects
• Demonstrated negotiation skills to interface successfully with regulators, individuals (consumers and data subjects) and internal clients,
• Relationship management skills to continuously coordinate within departments of the organisation and externally with controllers and vendors handling personal data (processors) while maintaining independence.
• Able to communicate with a wide-ranging audience, from the board of directors to individuals (data subjects), from managers to IT staff and lawyers.
• A self-starter with the ability to gain the required knowledge in dynamic environments
• Demonstrated record of engaging with emerging laws and technologies (which again can be “hacked” by attending training.
• Able to deal with different business cultures and industries

As data protection is new, it would be difficult to find an “experienced” candidate in this field. As mentioned, a possible “hack” is to find those who have gone through the training (i.e. learn from the knowledge/experience of others).

Whilst many jurisdictions allow for the outsourcing of DPO, the third-party service should be seen as supplementary as the organisation is still accountable. There are inherent benefits of employing a DPO managing the DPMP as he/she has specific company and industry knowledge and networking relationships.

How does one become a DPO?

The Singapore PDPC outlines the DPO Competency Framework and Training Roadmap (Framework)² to guide Data Protection (DP) professionals in enhancing their competencies so as to perform their job functions effectively in an organisation. The Framework outlines the core competencies and proficiency levels for a DPO and provides guidance on a viable career pathway from entry-level data protection executives to regional data protection senior management roles. These are the skills that can be learnt through training.

Learning Roadmap

Aspiring candidates going into the data protection field should choose the training programme and trainers carefully. The DPEXNetwork is one platform that a person can go to for the baseline course through the Practitioner Certificate in Personal Data Protection³

The DPEXNetwork has outlined a comprehensive learning roadmap⁴ that enables the individual to have the baseline competency all the way to achieving professional certification (e.g. ISO certification or certification from International Association of Privacy Professionals - IAPP).

Explore the various development routes:

• Advanced Certificate in Data Protection Principles
• Advanced Certificate in Data Protection Operation Excellence
• Advanced Diploma in Data Protection
• Advance Certificate in Governance, Risk and Data Compliance (GRC)
• ISO Certification courses

The listing of courses are available for one's upgrading.

To accelerate the learning journey on data protection, the DPO may:

1. Explore Micro Accreditation for General Employees
2. Attend Specialised Training for Managers and Management
3. Upskill with Self-Learning programmes
4. Attend International Forums by Experts and Experienced Professionals
5. Join DPO Support Groups on Social Media e.g., DPEX Network, PDPC’s DPO group, etc.

The DPEXNetwork, for example, shares weekly updates on its WhatsApp groups, Facebook and LinkedIn pages.  There will be continuous challenges in this new data protection sphere, especially with the rapid advancement of technology. This journey can be less arduous with the support of the data protection community.

Outlook for data protection officers and professionals.

The field of data protection and privacy is booming. Data protection officers or those with data protection expertise are in high demand. The good news is that anyone with an interest in data protection can become a DPO or acquire data protection expertise with the right learning roadmap.

By every indication, the need for DPOs will continue to grow significantly for the foreseeable future given that ASEAN is going to be one of the hottest regions for data protection legislation.

To learn more about how to incorporate good data protection practices in your organisation, check out our hands-on data protection officer course here.

Written by Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.

¹ http://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-officers

² http://www.pdpc.gov.sg/Help-and-Resources/2020/03/DPO-Competency-Framework-and-Training-Roadmap

³ http://www.dpexnetwork.org/courses/practitioner-certificate-in-personal-data-protection/

⁴ http://www.dpexnetwork.org/articles/dpex-networks-learning-roadmap-for-data-protection/