By Syed Isa Alhabshee,
The legal landscape in Singapore has seen a fairly significant transformation in recent years. The onset of the COVID-19 global pandemic, with the resultant drastic restrictions in workforce mobility, has caused many companies (law firms included) to implement or fast-track their digitalisation process. That is not to say that the drive to adopt technology solutions in the legal industry is a new phenomenon. In 2017 and 2019 respectively, the Ministry of Law launched the Tech Start and Tech-celerate for Law programmes, with the aim of encouraging and helping law firms to harness and leverage on technology solutions to improve their productivity and enhance their legal offering. A further step in this direction was recently taken with the Legal Industry Digital Plan (IDP), being the first IDP to discuss Artificial Intelligence (AI) and Generative AI solutions and their potential uses by Singapore law firms.
However, with the push towards digitalisation comes the increased risk of data privacy and data governance infractions. In 2021 and 2022, a total of 49 enforcement decisions were issued by the Personal Data Protection Commission (PDPC) of Singapore against companies who had fallen short of the requirements under the Personal Data Protection Act 2012 (PDPA) and its associated regulations. The legal sector has not been left unscathed either, with enforcement action being taken against a law firm and the Law Society of Singapore in recent years.
Against this backdrop, the need for well-trained Data Protection Officers (DPO) and data governance professionals has never been more apparent. Aside from having to navigate the laws and regulations surrounding the proper handling of personal data, companies now have to contend with increasingly sophisticated cyberattacks carried out by dedicated threat actors. The meteoric rise of Generative AI in the last year or so has further compounded this issue, where the tools to create malware code, phishing emails, and convincing deepfakes have now been placed at the fingertips of the lay person. Companies, let alone law firms, must now seriously consider formulating a strategy to protect their data assets, with a DPO or data governance professional being at the core of their efforts.
As personal data protection laws continue to evolve, so do the prospects for a career in data protection. A quick scan of the ASEAN member states shows that more than half have now implemented their own data protection laws, with Singapore, Malaysia, Indonesia, Thailand, the Philippines, and Vietnam leading the charge. Brunei, another ASEAN country, is in the midst of developing its own laws.
With this increased emphasis on data protection comes a resultant rise in the demand for certified and experienced data protection and data governance professionals. In a recent report released by SkillsFuture Singapore, skills in Data Protection Management were described as one of the most in-demand in the Data Management sector. Moreover, in countries where the appointment of a DPO is mandatory (as in the case of Singapore, Indonesia, Thailand, the Philippines, and Vietnam within the ASEAN countries), it is expected that the demand would naturally be even greater. As a case in point, in Singapore, a job search study conducted in 2022 found a 125% year-on-year increase in data protection-related job postings. Further, 37% of the job positions available either advertised for a data governance role or included data governance in the job description. Professionals within the data protection sector may also expect to fetch higher salaries, as shown in a salary survey conducted by the International Association of Privacy Professionals (IAPP) in 2023. It found that the overall average base salary for internal privacy professionals has continued to rise since 2019, with these professionals earning about USD146,200 in annual compensation on average (a 10% increase from 2019).
The strong demand for data protection and data governance professionals presents a unique opportunity for legal professionals. With their firm understanding of legislation and regulatory frameworks, legal professionals are well-positioned to navigate the complexities of data privacy laws such as the PDPA in Singapore, or the General Data Protection Regulations (GDPR) in the European Union. Their expertise in crafting and reviewing legal documents also come to bear; a critical component of a company’s data protection strategy are tightly-worded agreements that impose the relevant obligations on third-party organisations that personal data is disclosed to. All these skills provide an advantage to the legal professional who is either looking to make a career transition into data protection, or to broaden his or her professional horizons by taking on the additional role of a DPO.
That said, focusing only on the legal aspects of data protection may potentially blindside a legal professional assuming the role of a DPO. A DPO is also required to understand how the obligations under the data protection laws apply to his or her organisation at an operational level. This requires the DPO to first have a keen understanding of the business processes within the organisation that handle personal data, which involves a period of observation and close communication with relevant stakeholders on the ground. The DPO must thereafter construct a Data Protection Management Programme (DPMP) that accounts for the entire lifecycle (collection, use, disclosure/transfer, storage/disposal) of the personal data in each business process. The data privacy program model developed by the IAPP is widely accepted as being practical and effective, and is broken down into the following stages:
By integrating both the legal and operational aspects of data protection, the legal professional who transitions into a DPO role will be able to ensure that he or she is able to effectively assist the organisation to develop a well-rounded DPMP.
Looking ahead to 2024, the data protection sector appears set to continue its steady growth as digital transformation efforts accelerate amongst organisations in the region. In particular, with the scramble by organisations to adopt new Generative AI tools so as to gain a competitive advantage, it is anticipated that the data protection risks it brings may be overlooked or sidelined. To that end, the PDPC has recently issued a consultation paper, which when finalised will guide organisations on how the PDPA applies across the different stages of the implementation of AI systems.
Another area that is coming under greater scrutiny is the processing of children’s personal data. In the EU, large technology, and social media companies (such as TikTok, Instagram and Epic Games) have already come under fire for the alleged mishandling of children’s personal data. The huge fines that have been levied (up to the tune of about €400 million) are testament to the recognition that children are a highly vulnerable demographic and that the processing of their personal data warrants special attention and protection. In Singapore, the PDPC is now in the midst of developing guidelines that are intended to apply to organisations that offer products or services that are accessed or likely to be accessed by children.
And finally, with the increased recognition of data protection excellence as a market distinguisher, many companies have become increasingly keen to explore the Data Protection Trustmark (DPTM) certification. The DPTM is presently the gold standard in data protection certification in Singapore and is awarded by the IMDA to organisations who have demonstrated sound and accountable data protection practices. The certification process itself is stringent, consisting of several stages of assessments, interviews, and remedial efforts to close the gaps that are identified. The organisations who successfully run the gauntlet stand to open more doors of opportunity for themselves; quite aside from enjoying a boost in customer confidence, they also gain a competitive advantage in tender bids which increasingly prefer vendors with DPTM certification.
In closing, the data protection industry presents an exciting opportunity for legal professionals to venture into. The skillsets they have honed over their years of legal practice or as in-house counsel will continue to remain highly relevant. A successful transition will however also require the legal professional to augment his or her skills with operational knowledge and experience. To facilitate this, a slew of professional certifications and courses from recognised institutes are available, many of which are eligible for SkillsFuture funding. Other resources are also freely available for the aspiring data protection professional, such as those offered by the Data Protection Excellence Network (DPEX). For the in-house counsel looking to expand his or her scope, the role of a DPO offers the prospect of career progression and increased remuneration.
This article was first published on The Law Gazette on 12 Jan 2024.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.