Why DPOs Matter and How Gen AI Can Enhance Data Protection

By Wendy Lim, Industry Development Director & DPO Success Ambassador, Straits Interactive

Several businesses in Singapore were caught in a momentary frenzy last month to appoint their Data Protection Officers (DPO) before the 30th September deadline set out by the Personal Data Protection Commission (PDPC). In the notifications that the PDPC had sent to companies registered with the Accounting and Corporate Regulatory Authority (ACRA), all were pressed to submit their DPO’s information through ACRA’s BizFile+ website. 

This urgency comes at a time when new technologies are evolving at breakneck pace, making the role of the DPO ever more critical in strengthening accountable data protection practices and overseeing systems of governance in an organisation. As digital transformation reshapes industries, it’s clear that the expanding scopes of DPOs must be supported by innovative tools, such as generative AI, to enhance their work too. 

At Straits Interactive’s recent DPO Roundtable, I had the opportunity to speak about this alongside our CEO, Kevin Shepherdson, where we updated our DPEX Network community on the current state of data protection in Singapore and what we’re doing to support the privacy profession. 

Enforcement Cases and New Challenges in Data Protection

Data is indispensable to the digital backbone that supports our daily work, especially with the growing co-existence of generative AI alongside workers across industries. This breeds new responsibilities of heightened importance for DPOs, to protect sensitive data and build trust with customers and partners. 

Presently, there have been 14 enforcement cases this year, not far from the 17 we've seen in 2023. Nearly all the cases were in breach of the Protection Obligation, and most cases occurred in the Wholesale and Retail industry, closely followed by the Education and Transport industries.

According to the 2012 Personal Data Protection Act (PDPA) of Singapore, all organisations that handle personal data must designate a DPO to ensure compliance with privacy regulations. While the PDPC has clarified that missing the 30th September deadline for DPO appointment will not result in penalties, being caught in a data breach unprepared could result in up to SGD 1 million in fines or 10% of the annual sales turnover, whichever is higher. Businesses are therefore encouraged to meet their DPO-related obligations promptly and proactively manage their Data Protection Management Programmes (DPMP) to mitigate risks associated with non-compliance. 

As the Singapore government attempts to make the AI ecosystem more supportive for businesses, enacting AI Governance is essential. In her opening address at this year’s Personal Data Protection (PDP) Week, Singapore’s Minister for Digital Development & Information, Josephine Teo, announced that the Ministry of Digital Development and Innovation (MDDI) was introducing safety guidelines for AI model development, transparency and testing. The MDDI also intends to support an increased usage of privacy-enhancing technologies (PETs) in AI, as PETs can help businesses optimise the use of data without compromising personal information.

DPOs must now expand their domains of knowledge beyond data protection to understanding new technology and its risks, and be open-minded to augmenting their ways of working with generative AI. 

Generative AI for the Privacy Profession

Generative AI has been known to improve efficiency, decision-making and accelerate collaboration in the workplace. But how does this technology impact the work of a DPO? 

Innovation in data protection practices has always been a key mission of Straits Interactive. Driven by this, we took to our next-gen Capabara platform and demonstrated how applications of generative AI in the workplace can extend beyond the usual business scenarios. 

Take, for example, an app we created that summarises PDPC enforcement case documents. It keeps DPOs updated on the latest regulatory decisions in a more palatable format that can be adapted to different modes of staff communication. This is just one aspect of our efforts to AI-enable privacy management in totality.

In our endeavour to provide advanced, user-friendly tools that enhance compliance, we recently rolled out DPOinBOX AI, which replaces the original DPOinBOX privacy management software that we first introduced in 2014. Now fitted with generative AI capabilities on the Capabara platform, the new version significantly enhances productivity and risk control analysis by up to 5-10 times faster than conventional methods. Where the original software was task-focused, DPOinBOX AI is outcome-focused.

DPOinBOX AI comes as a multi-app package that can alleviate the pain points of both the DPO and staff by offering comprehensive generative AI toolkits for each. The AI DPO Toolkit is tailored for the privacy work of DPOs, while the AI DP Staff Toolkit guides staff towards playing an informed part in practising data protection. Holistically, the toolkits come together to facilitate the maintenance of a company’s data governance for more effective compliance with regulations. 

The AI DPO toolkit is designed to assist DPOs with building Data Inventory Maps, Data Protection Impact Assessments (DPIAs), and recommending controls to address risks. It also allows collaboration with stakeholders through real-time document sharing. Notably, it includes the region’s first AI DPO Assistant, which draws on a corpus of privacy regulations and guidelines to provide detailed guidance on privacy-related concerns and help organisations comply with privacy regulations like Singapore's PDPA. The apps in the toolkit are curated according to the GAPSR framework for privacy management - that is, to Govern the DPMP, Assess the risks, Protect with controls, Sustain compliance and Respond to incidents or breaches.

Education is Still a Necessity

As generative AI tools become integral to data protection efforts, it's imperative for DPOs to upskill and acquire new competencies. Dealing with more advanced technologies necessitates a solid understanding of both their capabilities as well as the risks and ethical considerations they entail. Professional development courses such as the AI Business Professional, Advanced Certificate in Generative AI, Ethics, and Data Protection and the IAPP’s Certified AI Governance Professional programme provide DPOs with the knowledge and skills needed to operate in today’s landscape of digital transformation.

In recognition of the changing times brought about by the advent of generative AI, the IAPP has expanded its mission and rebranded itself to better reflect its broadened scope. The updated mission statement reads: "The IAPP is a not-for-profit association founded in 2000 with a mission to define, promote and improve the professions of privacy, AI governance, and digital responsibility globally." This shift underscores the increasing intersection of data protection, AI governance, and digital ethics.

Steadfast in the Face of Change

DPOs stand at the forefront of ensuring compliance and fostering trust within their organisations. By embracing generative AI tools and investing in ongoing education, they can not only mitigate risks but also drive innovation in their roles. The integration of generative AI into data protection practices offers a promising avenue for DPOs to enhance efficiency and effectiveness. However, it is essential to approach these advancements with a commitment to ethical considerations and a proactive stance on governance. In this dynamic environment, staying informed and adaptable is key to navigating the future of data protection in Singapore and beyond.

Capabara, our Next-Gen AI Capability-as-a-Service platform, is currently available on beta. Sign up as a beta user, and stay tuned to our latest announcements on its development by following our CAPABARA Linkedin page or heading over to capabara.com to find out more about how your organisation can be empowered through safe and secure generative AI. 

DPOinBOX AI is our latest iteration of privacy management software, powered by generative AI, to help Data Protection Officers with compliance and data governance. Sign up for a demo at dpoinbox.ai to see how it can augment your data protection practices.

This article was first published on The Governance Age on 16 Oct 2024