What is a Data Protection Officer (DPO)?
Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. In particular, organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. DPOs may register with the PDPC to keep abreast of developments in the PDPA.
What are the Responsibilities of a Data Protection Officer (DPO)?
An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.
Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management’s responsibility and that the outsourcing service should cover only the operational aspects of the DPO function.
Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:
- Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
- Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
- Manage personal data protection related queries and complaints;
- Alert management to any risks that might arise with regard to personal data; and
- Liaise with the PDPC on data protection matters, if necessary.
To build personal data protection capabilities of DPOs and organisation representatives engaged in data protection compliance, a two-day course, Fundamentals of the Personal Data Protection Act, has been developed under the Business Management Workforce Skills Qualifications (BM WSQ) framework.
Is a Data Protection Officer Needed?
All organisations that operate in Singapore are required to have a Data Protection Officer (DPO). It is a requirement under the PDPA and organisations can appoint their data protection and enter the information of the DPO to the PDPC website.