What does it take to be a Data Protection Officer?

The data protection laws of many countries require organisations handling personal data to demonstrate accountability and responsibility. This entails having a compliance programme (that includes pre-emptive safeguards as well as risk management) which is commonly known as a data protection management programme (DPMP). Hence, it is the Data Protection Officer (DPO) who runs the DPMP in order to sustain the compliance efforts in accordance with the data protection officer requirements. In countries like Singapore, all organisations need to have an appointed DPO.

What is a Data Protection Officer?

Before anything else, it is crucial to understand the role of a DPO in the landscape of data privacy and protection. A DPO, sometimes called a Personal Data Protection Officer, is an individual tasked with overseeing an organisation’s data protection strategy and compliance with laws and applicable privacy regulations—a role that has become particularly important due to the increasing volume of personal data being collected and processed by companies across all sectors.

In a nutshell, the primary responsibility of a DPO is to act as a bridge between the organisation and regulatory authorities. They are accountable for advising the management team on best practices related to data processing, monitoring internal compliance, and serving as a point of contact for key stakeholders whose personal data is being processed. They must ensure that the organisation adheres to principles of data protection, including legality, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

In addition to compliance, the DPO plays a crucial role in fostering a culture of data protection within the organisation. This means promoting awareness on privacy and understanding of data privacy issues among employees, conducting training sessions, and ensuring that everyone involved in data handling comprehends their responsibilities. Furthermore, part of the data protection officer’s job description includes maintaining records of processing activities, conducting Data Protection Impact Assessments (DPIAs) when necessary, and responding to data breaches or incidents that may compromise personal data.

Knowledge of the Information Life Cycle

In order to effectively perform the data protection role, the DPO should be aware of how personal data is being collected, used, disclosed, or stored (CUDS) within the organisation's business processes in order to govern it effectively.

This knowledge is crucial because there are processing risks at each phase of the information life cycle that needs to be identified.

Personal Data Protection Act or the relevant data protection law governs the CUDS of personal data.

Data protection should be viewed as part of corporate governance, risk management and compliance (GRC), rather than the common misconception that it is just about cybersecurity. Having some knowledge of Information Technology (IT) would definitely be an advantage to perform the role of a data protection officer, given how pervasive technology is. However, processing personal data does not just involve technology, but is prevalent in every part of the organisation's operation: from reception to the paper recycling bin.

Responsibilities of a Data protection officer

So what does a DPO do? First, a DPO must have an understanding of the data protection law (PDPA, DPA, GDPR or jurisdictions in which the organisations operate or trade).

You might ask, "Do I need a data protection officer?" The answer is not just simply yes or no. In fact, an organisation should take time to assess its needs before the appointment of data protection officer. The Singapore Personal Data Protection Commission (PDPC) outlines DPO responsibilities to include, but in our experience, they often extend beyond the following:

1. Ensure compliance with PDPA when developing and implementing policies and processes for handling personal data;

2. Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;

3. Manage personal data protection related queries and complaints;

4. Alert management to any risks that might arise with regard to personal data; and

5. Liaise with the PDPC on data protection matters, if necessary.

The DPO can be someone from within your organisation. Larger organisations might appoint someone specifically to take the DPO as their full-time job.  In smaller organisations, it’s more common to see double-hatting - that is, where the responsibilities of a DPO are added to another job role.

The DPO can be someone from within your organisation. Larger organisations might appoint someone specifically to take the DPO as their full-time job. In smaller organisations, it's more common to see double-hatting - that is, where the responsibilities of a DPO are added to another job role, or acquiring data protection officer as a service.

In fact, in a survey conducted amongst DPOs in 2020, DPEXNetwork found that 66% of DPOs “double-hat”, many of them in the field of Business Process/Continuity planning and/or Compliance.

Source DPEXNetwork DPO Survey 2020

Skills and Requirements of a Data Protection Officer

From the requirements (a) and (b), we can understand why the PDPA guidelines recommend the data protection officer to be of a fairly senior level (from mid to senior management).

"Appoint a data protection officer ("DPO") preferably from senior management, who can effectively direct and oversee data protection initiatives. The DPO will be supported by representatives from various organisational functions.

DPOs are expected to collaborate with cross-functional teams, as he/she will have to understand and have some working knowledge to work with the various business lines.

Secondly, it is apparent that Data Protection work is related to governance, compliance and risk management (GRC), though knowledge of the information systems would be helpful. For instance, prior to the appointment of the data protection officer, he or she should have some appreciation of issues in information security.

Thirdly, a key responsibility area is to document and implement policies and processes for handling personal data that complies with the requirements of the PDPA, data protection law, and other relevant legislation. Hence, data protection officers need to work with internal stakeholders, such as business line managers, and ensure ongoing operational compliance with the stated policies and processes.

Finally, DPOs may need to wear several hats when performing their roles - compliance, project and risk manager; trainer; counsellor and investigator. They would also need to be able to communicate and liaise with senior management. Hence, the role requires a more experienced working person with formal qualification to be able to work with the various business operational lines and put the data protection knowledge into practical policies and processes.

Do note that the privacy risks associated with processing personal data may be enterprise and industry-specific. Therefore, it is important that the DPO has to be hands-on and be familiar with the company's business operations and the data handling needs of that specific industy, and is compliant with every legal requirement as stated for a data protection officer.

Click here to have an overview of the learning roadmap to be a DPO.

Skill Sets Required

In light of the above-listed requirements, what would be the skills required of a DPO? Below is a list of just some of the skill set requirements:

“Hard skills”

1. Experience in applying data protection law (familiarity with GDPR would be an added bonus), including drafting of privacy policies, technology provisions and outsourcing agreements. Short of experience, the “hack” to this is to invest time in attending courses and learn from the knowledge/experience of others.

2. Some knowledge of IT systems and security including information security standards certifications and data protection seals/marks.

3. Familiarity with information systems auditing, attestation audits and the assessment and mitigation of risk.

In today’s job landscape, it may be challenging for an inexperienced worker to start a career as a DPO. The reason for this is DPOs are expected to have an understanding of how data is collected for business operations and/or analytics, and this knowledge comes from actual work experience.

“Soft skills”

1. Demonstrated leadership skills in achieving stated objectives involving a diverse set of stakeholders and managing varied projects

2. Demonstrated negotiation skills to interface successfully with regulators, individuals (consumers and data subjects) and internal clients,

3. Relationship management skills to continuously coordinate within departments of the organisation and externally with controllers and vendors handling personal data (processors) while maintaining independence.

4. Able to communicate with a wide-ranging audience, from the board of directors to individuals (data subjects), from managers to IT staff and lawyers.

5. A self-starter with the ability to gain the required knowledge in dynamic environments

6. Demonstrated record of engaging with emerging laws and technologies (which again can be “hacked” by attending training.

7. Able to deal with different business cultures and industries

It would be difficult to find an “experienced” candidate in this field, so a possible “hack” is to find those who have gone through the training (i.e. learn from the knowledge/experience of others).

Whilst many jurisdictions allow for the outsourcing of DPO, the third-party service providers should be seen as supplementary as the organisation is still accountable. There are inherent benefits of employing a DPO managing the DPMP as he/she has specific company and industry knowledge and networking relationships.

How does one become a DPO?

The Singapore PDPC outlines the DPO Competency Framework and Training Roadmap (Framework)² to guide Data Protection (DP) professionals in enhancing their competencies so as to perform their job functions effectively in an organisation. The Framework outlines the core competencies and proficiency levels for a DPO and provides guidance on a viable career pathway from entry-level data protection executives to regional data protection senior management roles. These are the skills that can be learnt through training.

Learning Roadmap

Aspiring candidates going into the data protection field should choose the training programme and trainers carefully. The DPEXNetwork is one platform that a person can go to for the baseline course through the Practitioner Certificate in Personal Data Protection³

The DPEXNetwork has outlined a comprehensive learning roadmap⁴ that enables the individual to have the baseline competency all the way to achieving professional certification (e.g. ISO certification or certification from the International Association of Privacy Professionals - IAPP).

Explore the various development routes:

1. Advanced Certificate in Data Protection Principles

2. Advanced Certificate in Data Protection Operation Excellence

3. Advanced Diploma in Data Protection

4. Advance Certificate in Governance, Risk and Data Compliance (GRC)

5. ISO Certification courses

The listing of courses are available for one's upgrading.

1.  To accelerate the learning journey on data protection, the DPO may:

2. Explore Micro Accreditation for General Employees

3. Attend Specialised Training for Managers and Management

4.Upskill with Self-Learning programmes

5. Attend International Forums by Experts and Experienced Professionals

Join DPO Support Groups on Social Media e.g., DPEX Network, PDPC’s DPO group, etc.

The DPEXNetwork, for example, shares weekly updates on its WhatsApp groups, Facebook and LinkedIn pages.  There will be continuous challenges in this new data protection sphere, especially with the rapid advancement of technology. This journey can be less arduous with the support of the data protection community.

Outlook for Data Protection Officers and Professionals.

The field of data protection and privacy is booming. Data protection officers or those with data protection expertise are in high demand. The good news is that anyone with an interest in data protection can become a DPO or acquire data protection expertise with the right learning roadmap.

By every indication, the need for DPOs will continue to grow significantly for the foreseeable future given that ASEAN is going to be one of the hottest regions for data protection legislation.

To learn more about how to incorporate good data protection practices in your organisation, check out our hands-on data protection officer course here.

Written by Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.

¹ http://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-officers

² http://www.pdpc.gov.sg/Help-and-Resources/2020/03/DPO-Competency-Framework-and-Training-Roadmap

³ http://www.dpexnetwork.org/courses/practitioner-certificate-in-personal-data-protection/

⁴ http://www.dpexnetwork.org/articles/dpex-networks-learning-roadmap-for-data-protection/