The data protection laws of many countries require organisations handling personal data to demonstrate accountability and responsibility. This entails having a compliance programme (that includes pre-emptive safeguards as well as risk management) which is commonly known as a data protection/privacy management programme (DPMP). Hence, it is the DPO who runs the DPMP in order to sustain the compliance efforts in accordance with the data protection requirements.
In order to effectively perform the data protection role, the DPO should be aware of how personal data is being collected, used, disclosed, or stored (CUDS) within the organisation’s business processes in order to govern it effectively.
This knowledge is crucial because:
Data protection should be viewed as part of corporate governance, risk management and compliance (GRC), rather than the common misconception that it is just about cybersecurity. Having some knowledge of Information Technology (IT) would definitely be an advantage to perform the DPO role, given how pervasive technology is. However, processing personal data does not just involve technology, but is prevalent in every part of the organisation’s operation: from reception to the paper recycling bin.
So what does a DPO do? First, a DPO must have an understanding of the data protection law (PDPA, DPA, GDPR or jurisdictions in which the organisations operate or trade). The organisation should take time to assess your needs before appointing a person suitable for the role of a DPO. The Singapore Personal Data Protection Commission (PDPC) outlines DPO responsibilities to include1 but in our experience, they often extend beyond the following:
The DPO can be someone from within your organisation. Larger organisations might appoint someone specifically to take the DPO as their full-time job. In smaller organisations, it’s more common to see double-hatting - that is, where the responsibilities of a DPO are added to another job role.
In fact, in a survey conducted amongst DPOs in 2020, DPEXNetwork found that 66% of DPOs “double-hat”, many of them in the field of Business Process/Continuity planning and/or Compliance.
Source DPEXNetwork DPO Survey 2020
From the requirements (a) and (b), we can understand why the PDPA guidelines recommend the DPO to be of a fairly senior level (from mid to senior management)
"Appoint a Data Protection Officer (“DPO”), preferably from senior management, who can effectively direct and oversee data protection initiatives. The DPO will be supported by representatives from various organisational functions." 1
as he/she will have to understand and have some working knowledge to work with the various business lines.
Secondly, it is apparent that Data Protection work is related to governance, compliance and risk management (GRC), though knowledge of the information systems would be helpful. For instance, the DPO should have some appreciation of issues in information security.
Thirdly, a key responsibility area is to document and implement policies and processes for handling personal data that complies with the requirements of the PDPA or data protection law. Hence, DPOs need to work with business line managers and ensure ongoing operational compliance to the stated policies and processes.
Finally, DPOs may need to wear several hats when performing their roles - compliance, project and risk manager; trainer; counsellor and investigator. They would also need to be able to communicate and liaise with senior management. Hence, the role requires a more experienced working person to be able to work with the various business operational lines and put the data protection knowledge into practical policies and processes.
Do note that the risks associated with processing personal data may be enterprise and industry-specific. Therefore, it is important that the DPO has to be hands-on and be familiar with the company’s business operations and the data handling needs of that specific industry.
In light of the above-listed requirements, what would be the skills required of a DPO? Below is a list of just some of the skill set requirements:
In today’s context, everyone is expected to have knowledge of how data is collected for business operations and/or analytics, which would come with work experience, i.e. it would be difficult for an inexperienced worker to be a DPO.
As data protection is new, it would be difficult to find an “experienced” candidate in this field. As mentioned, a possible “hack” is to find those who have gone through the training (i.e. learn from the knowledge/experience of others).
Whilst many jurisdictions allow for outsourcing of DPO, the third-party service should be seen as supplementary as the organisation is still accountable. There are inherent benefits of employing a DPO managing the DPMP as he/she has the specific company and industry knowledge and networking relationships.
The Singapore PDPC outlines the DPO Competency Framework and Training Roadmap (Framework)2 to guide Data Protection (DP) professionals in enhancing their competencies so as to perform their job functions effectively in an organisation. The Framework outlines the core competencies and proficiency levels for a DPO and provides guidance on a viable career pathway from entry-level data protection executives to regional data protection senior management roles. These are the skills that can be learnt through training.
Aspiring candidates going into the data protection field should choose the training programme and trainers carefully. The DPEXNetwork is one platform that a person can go to for the baseline course through Practitioner Certificate in Personal Data Protection3
The DPEXNetwork has outlined a comprehensive learning roadmap4 that enables the individual to have the baseline competency all the way to achieving professional certification (e.g. ISO certification or certification from International Association of Privacy Professionals - IAPP).
Explore the various development routes:
To accelerate the learning journey on data protection, the DPO may:
The DPEXNetwork, for example, shares weekly updates on its WhatsApp groups, Facebook and LinkedIn pages. There will be continuous challenges in this new data protection sphere, especially with the rapid advancement of technology. This journey can be less arduous with the support of the data protection community.
The field of data protection and privacy is booming. Data protection officers or those with data protection expertise are in high demand. The good news is that anyone with an interest in data protection can become a DPO or acquire data protection expertise with the right learning roadmap.
By every indication, the need for DPOs will continue to grow significantly for the foreseeable future given that ASEAN is going to be one of the hottest regions for data protection legislation.
Written by Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
Thinking about enhancing your data protection competencies?Data Protection / DP…
In our DPEX Network Community, we recognise there is a diverse base of learners…
With the rapid evolution of technology and digitalisation, it is evident that w…