Findings from the Survey on DPOs in Singapore 2020 

Since the Singapore PDPA came into effect organisations have been required to appoint at least one individual, generally known as a Data Protection Officer (DPO), to be responsible for personal data in the possession of the organisation or under its control as well as to be the designated business contact between the organisation and the public.

Using an online survey, DPEXNetwork conducted a study with the objective to understand the challenges faced by the DPOs. It collected responses from 3rd March to 8th June 2020.

Findings:

Beside DPOs, some of the respondents were not officially designated DPOs but who were involved in, or have keen interest in, data protection work or were taking training to advance themselves in a data protection career. The implication is that there is a pool of potential data protection officers training and entering the profession.

Of the respondents who are appointed as DPOs, only 12% are dedicated DPOs. The remaining 88% of respondents are “double-hatters” with other responsibilities and/or they hold a legal counsel role in the organisation. That only 12% of respondents are dedicated DPS suggests that many organisations could and should pay more attention to the role of a data protection officer.

The other portfolios they hold concurrently with their DPO roles include:

The most common concurrent role is Business Process/Continuity.  This is in line with the common perception that data protection is related to Business Continuity Management (BCM, which may not be wrong as long as there is accountability from the organisation.

Due to their multi portfolio roles, nine in 10 of the designated DPOs (who double-hat their roles) spend less than half their time on data protection related work and this may affect the effectiveness of their data protection work.

Consistent with the findings that the large majority of  organisations do not have dedicated DPOs, the survey also found that most organisations do not have a dedicated data protection committee (working group).  As the Personal Data Protection Commission invariably looks at business practices and SOPs in both its guidance on Data Protection Management Programmes and in investigations, organisations need to  to form a committee (working group) co-ordinated by the DPO and comprising the business ‘owners’ of personal data - that is, the heads of the organisation’s various departments that collect, use or disclose personal data. In this way, the organisation can effectively manage its data protection programme.

In the absence of a committee (working group) comprising individuals responsible for collecting, using or disclosing personal data in their areas of business responsibility, the DPO is severely hampered from working effectively and the organisation may well fail in its data protection efforts.

Not surprisingly, the biggest challenge reported by DPOs or those working in the data protection field is having insufficient bandwidth to do a proper DPO job.  Logically, therefore, they face significant difficulty in developing and implementing data protection policies and practices/SOPs and in conducting DPIAs. These tasks, which are not in any way optional, require investing a fair amount of time and attention from the DPO in co-ordinating the activities of the business ‘owners’ of personal data to achieve effective outcomes that support business processes effectively and efficiently.

Perhaps due to the lack of bandwidth or perhaps due to a focus by the business ‘owners’ of personal data - or a combination of both factors - a high percentage of those involved in DP work responded in the survey that their organisation experienced some kind of data incident/breach in the last 36 months.

Conclusion

• Most DPOs have more than one portfolio.  Data protection is most often combined with Business Process/Continuity role or with a Compliance/Internal Audit role.
  • 66.2% Double Hatting
  • 22.3% DPOs are legal counsels
  • 11.5% Dedicated DPO
• Two in five of the organisations that the DPOs work in do not have a dedicated data protection committee/team.  This indicates that the data-protection programme likely does not have significant operational input in relation to collection, use or disclosure of personal data and that therefore it  may be one-off or adhoc.
• The challenges most DPOs face is the lack of bandwidth to perform their responsibility well.  Without the co-operation of the departments that own the data sources, a significant percentage also find it difficult to undertake DPO responsibilities.
• One  in four  DPOs are aware their organisation encountered a data breach/incident in the past three  years.  Whilst this is still somewhat lower than the global average of 28% in the past two  years, the statistics is nonetheless of concern to both consumers and organisations given the trend that jurisdictions are ramping up their data protection legislations.
• The proposed changes the the Singapore Personal Data Protection Act is a strong indication that there will be intensified enforcement of it (i.e. an increase in the maximum financial penalty and a heavier potential liability for employees in decision-making roles), it is likely more DPOs will be required in organisations and they will need to spend more time to coordinate the development and implementation of the data protection management programme in their organisations.

Click here for Part II on challenges faced by DPOs.

Click here to know about the learning journey roadmap of a DPO.

Written by Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.