The importance of Data Protection Officers across Asia | Do I need a DPO for my company?

Personal Data is any set of data provided for the purpose of identification of a person normally used in a commercial or business transaction. The improper use and abuse of personal data is real and hence, in 2018, companies across the world are scrambling to comply with the sudden emergence of data privacy laws as well as the immediate need to secure personal data that you transact.

Privacy and personal data protection have been around for a long time and since the Universal Declaration of Human Rights. However, in May 2018, the General Data Protection Regulations (GDPR) was passed by in the European Union (EU) for all things with regards to personal data protection. It is undoubtedly one of the greatest personal data protection developments in history. All over the world personal data protection laws are also formed up and Singapore is no exception. The Personal Data Protection Commission (PDPC) was formed to enforce the Personal Data Protection Act (PDPA) in Singapore.

These data protection laws were put in place to protect the personal data of individuals like you and me, so that it will not be used fraudulently or for the wrong reasons. Thus, strict penalties are there for organisation that breach data protection laws. The penalties for the breach of PDPA can result a maximum fine of S$1 million, and it was enforced on SingHealth and Integrated Health Information Systems (IHIS) in 2019. Under the scope of the PDPA, all organisation in Singapore must comply with the PDPA.

The Importance of Data Protection in Europe

Europe joined the bandwagon in May; and this action represents the biggest shake-up of personal data privacy rules since the birth of the Internet. And the Philippines is no exception: the Data Privacy Act (DPA) was signed into law in 2012 and is now strictly implemented by the National Privacy Commission (NPC).

The Implementation of PDPA & PDPA Compliance in the Philippines

While Philippine companies have to comply with the strict Data Protection rules in naming a Data Protection Officer (DPO) to the NPC, it is assumed that most of the DPOs are not fully familiar with the policies and processes to avoid data costly breaches. That’s the reason why we have started to create teams to assist companies to train DPOs and introduce software that will lead to showing compliance gaps and ways to solve those. The data privacy laws give Filipinos and citizens around the globe more control over their online information and that the laws apply to all firms that do business.

An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.

Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management’s responsibility and that the outsourcing service should cover only the operational aspects of the DPO function. 

Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:

• Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
• Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
• Manage personal data protection related queries and complaints;
• Alert management to any risks that might arise with regard to personal data; and
• Liaise with the PDPC on data protection matters, if necessary.

The Roles & Responsibilities of Data Protection Officers (DPO)

Finding DPOs is not easy, here and around the globe. More than 28,000 will be needed in Europe and the US, and as many as 75,000 worldwide as a result of the data privacy laws, the International Association of Privacy Professionals (IAPP) estimates. The need for DPOs is expected to be especially high in data-rich industries, such as tech, Business Process Management, digital marketing, finance, healthcare, hospitality and retail, to name a few only.

What a DPO Needs to know

PDPA Assessment of Systems & Processes

• Data Privacy, PDPA as well as GDPR & Information Security knowledge.
• Data flow and inventory process management.
• Penetration testing of networks and key installations.
• Vulnerability / Data leakage testing of systems.

Data Protection, Storage, Retrieval & Data Access

• Establish relevant policies regarding data protection and Cybersecurity
• Enforce Data Classification solutions.
• Data loss prevention.
• Encrypted storage devices.
• Information rights management.

Data Protection Audits, Training & Support

• Data protection support programs.
• Onsite data protection audits.
• Data Privacy training and eLearning.
• Information security procedures training.

Response Management, Incident Reporting, Crisis Communication & Policy Reviews

• Response management training
• Incident management and containment
• Evidence gathering
• Crisis communication
• Review of policies and thresholds.

• 
• 
• 
• 
•