What is the Role of a Data Protection Officer and Their Key Responsibilities?

The Data Protection Officer Role in Current Trends and Compliance

The global pandemic has sped up the process of digitalisation and transformed the landscape of the economy. Unfortunately, the recession and shrinking market have caused many to lose their means of livelihood. Many businesses are adapting to online transactions and digital solutions as part of their effort to survive. In the bid to quickly digitalise their business, they may neglect efforts to build data protection aspects into their operational controls. Hackers and other malicious agents wait for an opportune time to take advantage of these situations and steal customer or employee data from these businesses. Under this situation, a career that is quietly but surely on the rise is the Data Protection Officer (DPO) role.

To learn more about Data Protection and the importance of DPOs in safeguarding personal data, please read our Data Protection 101 guide.

The tasks of a DPOs can be summarised into the acronym G-A-P-S-R:

First and foremost, a DPO’s task is to assist the organisation to govern how personal data is being collected, used, disclosed, or stored within an organisation according to the requirements of the Personal Data Protection Act and relevant data protection laws.

From an operational perspective, the responsibilities of the DPO are to:

Assess the risks relating to the processing of personal data and this includes conducting a data protection impact assessment (DPIA).

Protect the organisation by developing a data protection management programme (DPMP) against these identified risks. This includes implementing policies and processes for handling personal data.

Sustain the above compliance efforts by communicating personal data protection policies to stakeholders including training of staff involved; conducting audits as well as ensuring the ongoing systematic monitoring of risks.

Respond and manage personal data protection-related queries and complaints as well as liaising with the data protection regulators (local and/or international) on data protection matters, especially if there is a data protection breach incident or protection issues. Under the Personal Data Protection Act (PDPA), each organisation in Singapore is required by law to designate at least one individual as a DPO. As part of its legal requirements, all firms in Singapore need to ensure that personal data of both external and internal stakeholders, such as customer and employee data, are protected. The Data Protection Officer role is defined in the PDPA as an individual who is designated to oversee the data protection responsibilities within the organisation and ensure compliance with the law.

Countries in ASEAN have started to legislate laws that protect personal data in response to the requirement set by the more mature markets. Many of them model after the European Union which enforces the General Data Protection Regulation (GDPR). The regulation stipulates that DPOs have an enterprise security leadership role that requires the DPO to assist the organisation in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

To learn about data protection laws in selected Asian Countries, click here.

How trained data protection officers on staff can benefit companies

All organisations will more than benefit from hiring a DPO. The first important benefit of hiring a DPO in an organisation is to mitigate the risk of the organisation from having a data protection breach and to demonstrate that the organisation is accountable and responsible for the personal data that it handles through a comprehensive protection strategy. A DPO can formulate a DPMP and Data Breach Management Plan which will be helpful in demonstrating that due diligence has been undertaken.

In Singapore, the new amendment in the PDPA has an enhanced focus to require organisations to report a breach within three days, which is a similar requirement to the GDPR.

DPO’s can also guide the organisation in attaining the required data protection standards, for example, the Data Protection Trustmark (DPTM) in Singapore. Through working with the various departments, they would be able to have a data map, identifying gaps and performing risk assessments as well as recommendations to minimise the risks - actions and plans that would help fulfil the DPTM requirements as well.

Skills Needed to be a Successful Data Protection Officer

A good DPO needs to be versatile and have several skill-sets. As demand for DPOs continue to increase in recent years, the scope of their role has been listed by the Singapore PDPC, which includes to:

1. Develop and review a Data Protection Management Programme (DPMP) that covers policy, processes, and people for the handling of personal data at each stage of the data lifecycle, which is a core activity;

2. Perform a Data Protection Impact Assessment (DPIA) to identify, assess and address business risks, based on the organisation's functions, needs, compliance requirements, and processes;

3. Develop a training programme to educate staff on personal data protection policies and processes/SOPs;

4. Oversee activities to foster personal data protection awareness within the organisation;

5. Enhance protection compliance processes based on an evaluation of gaps in business operations and data protection requirements, and clarify on ethically questionable situations at various stages of data or information life cycle;

6. Facilitate the implementation of data innovation by translating the user's privacy and personal data protection requirements into a data-driven design thinking process.

Understanding and Implementing a Global Privacy Standard

While a DPO requires specific expert knowledge and skill in data protection, they will also need the soft skills that enable them to work with others as a facilitator/manager of a team. Their job description comes with working experience which would include:

1. Understanding of the organisation's operations and business processes as it relates to processing or C-U-D-S (Collection, Use, Disclosure/Transfer, Storage/Disposal) of personal data.

2. In-depth knowledge of data protection/privacy laws and protection regulations, including drafting of privacy policies, technology provisions and outsourcing agreements

3. Appreciation of IT systems and protection practices, especially in the areas of security and privacy standards

4. Deep understanding of auditing, attestation audits, internal audits, and the assessment and mitigation of risk

5. Leadership skills achieving stated objectives involving a diverse set of key stakeholders and managing varied projects

6. Negotiation skills to interface successfully with Data Protection Authorities/regulators

7. Able to manage client/customers (members of the public)/internal stakeholders relationship to continuously coordinate with regulators, internal business units and processors while maintaining independence

8. Demonstrated communication skills to speak with a wide-ranging audience, from the management to individuals (data subjects), from managers to IT staff and lawyers

9. Being a self-starter with the ability to gain required knowledge in dynamic environments

Expert knowledge is crucial to understanding the global privacy standard. It is important that DPOs should also go for regular training and attain internationally recognised certifications like the Certified Information Privacy Professional - Asia (CIPP/A) Certified Information Privacy Professional - Europe (CIPP/E) Certified Information Privacy Manager (CIPM) Certified Information Privacy Technologist (CIPT). This ensures that the DPOs are better equipped with the relevant knowledge in data protection to assist them in helping their organisation achieve a global privacy standard and properly carrying out their job description. These will allow them to perform well in their roles and responsibilities as a DPO.

Can You Allocate the Role of a Data Protection Officer to an Existing Employee?

After asking, "What does a Data Protection Officer (DPO) do?" Your next question might be if it's possible to assign someone who's already part of the organisation.

The straightforward answer is: Yes, you can allocate the Data Protection Officer role to an existing employee within your organisation. The PDPA and GDPR allows organisations to appoint an internal DPO, which means that you do not necessarily need to hire someone specifically for the Data Protection Officer role.

However, it is crucial to ensure that the selected employee has a clear understanding of the company's IT processes and the responsibilities associated with the role of a DPO. Additionally, they should be provided with the necessary resources and support from senior management to effectively carry out their data protection officer duties.

Once you have identified the appropriate individual for the DPO role, you should formalise the appointment by drafting and submitting an appointment of DPO letter to the relevant regulatory authority, such as the PDPC. This letter should include details like the company’s information, the name of the appointed DPO, their delegated tasks, their position within the organisation, and the required signatures.

Appointing existing employees as DPOs lets you leverage their familiarity with the organisation while ensuring compliance with data protection regulations. However, there is also the option to contract independent data protection experts, which has its own perks.

Having the Right Tools and Resources

It is important to ensure your DPO has the tools and resources needed to implement the necessary controls for the organisation. Here are several key elements that are essential for empowering your DPO:

1. Access to Relevant Data Management Systems

Data protection requires an in-depth understanding of how data flows within the organisation. DPOs should have access to robust data management systems that facilitate monitoring, recording, and reporting of data handling practices. Tools for data inventory and classification, such as data mapping software, help the DPO visualise where sensitive information resides and how it’s used.

2. Compliance Management Tools

Utilising compliance management software enables DPOs to streamline the compliance process. These tools can assist in documenting compliance activities, tracking policies and procedures, managing consent, and retaining records of data processing activities. They can also simplify the task of conducting Data Protection Impact Assessments (DPIAs), a necessity for high-risk data processing activities.

3. Training and Awareness Programs

The DPO is crucial in fostering a culture of privacy and data protection within the organisation. They should have access to training resources that can support ongoing education for employees about data protection policies and practices. This may include online training modules, workshops, and seminars tailored to different departments and roles and responsibilities within the company.

A trained DPO can provide an advantage for businesses by finding methods to minimise the risk of a data breach and help sustain a data protection programme within the organisation systematically. From a survey by the DPEX Network, it can be inferred that the risks of data breach can be halved if a DPO is trained.

Click here to have an overview of learning and development for DPOs.

Click here to assess what learning and development is required for you/your DPO.

Article contributed by Kevin Shepherdson (FIP, CIPM, CIPP/A, CIPP/E, CIPT, GRCP) 

Updated on 13 October 2021

Singapore PDPC

data protection/privacy laws