Do I need a Data Protection Officer?

An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers. 

Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management’s responsibility and that the outsourcing service should cover only the operational aspects of the DPO function. 

Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following: 

• Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
• Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
• Manage personal data protection related queries and complaints;
• Alert management to any risks that might arise with regard to personal data; and
• Liaise with the PDPC on data protection matters, if necessary.

To build personal data protection capabilities of DPOs and organisation representatives engaged in data protection compliance, a two-day course, Fundamentals of the Personal Data Protection Act, has been developed under the Business Management Workforce Skills Qualifications (BM WSQ) framework.