The importance of Data Protection Officers across Asia | Do I need a DPO for my company? - PDPA Singapore Checklist to Comply PDPA: The Complete PDPA Compliance Guide for Business & Companies in Singapore

Personal Data is any set of data provided for the purpose of identification of a person normally used in a commercial or business transaction. The improper use and abuse of personal data is real and hence, in 2018, companies across the world are scrambling to comply with the sudden emergence of data privacy laws as well as the immediate need to secure personal data that you transact.

Privacy and personal data protection have been around for a long time and since the Universal Declaration of Human Rights. However, in May 2018, the General Data Protection Regulations (GDPR) was passed by in the European Union (EU) for all things with regards to personal data protection. It is undoubtedly one of the greatest personal data protection developments in history. All over the world personal data protection laws are also formed up and Singapore is no exception. The Personal Data Protection Commission (PDPC) was formed to enforce the Personal Data Protection Act (PDPA) in Singapore.

These data protection laws were put in place to protect the personal data of individuals like you and me, so that it will not be used fraudulently or for the wrong reasons. Thus, strict penalties are there for organisation that breach data protection laws. The penalties for the breach of PDPA can result a maximum fine of S$1 million, and it was enforced on SingHealth and Integrated Health Information Systems (IHIS) in 2019. Under the scope of the PDPA, all organisation in Singapore must comply with the PDPA.

The Importance of Data Protection in Europe

Europe joined the bandwagon in May; and this action represents the biggest shake-up of personal data privacy rules since the birth of the Internet. And the Philippines is no exception: the Data Privacy Act (DPA) was signed into law in 2012 and is now strictly implemented by the National Privacy Commission (NPC).

The Implementation of PDPA & PDPA Compliance in the Philippines

While Philippine companies have to comply with the strict Data Protection rules in naming a Data Protection Officer (DPO) to the NPC, it is assumed that most of the DPOs are not fully familiar with the policies and processes to avoid data costly breaches. That’s the reason why we have started to create teams to assist companies to train DPOs and introduce software that will lead to showing compliance gaps and ways to solve those. The data privacy laws give Filipinos and citizens around the globe more control over their online information and that the laws apply to all firms that do business.

What is a Data Protection Officer (DPO)?

Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. In particular, organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. DPOs may register with the PDPC to keep abreast of developments in the PDPA.

An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.

Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management’s responsibility and that the outsourcing service should cover only the operational aspects of the DPO function. 

Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:

  • Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
  • Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
  • Manage personal data protection related queries and complaints;
  • Alert management to any risks that might arise with regard to personal data; and
  • Liaise with the PDPC on data protection matters, if necessary.

The Roles & Responsibilities of Data Protection Officers (DPO)

Finding DPOs is not easy, here and around the globe. More than 28,000 will be needed in Europe and the US, and as many as 75,000 worldwide as a result of the data privacy laws, the International Association of Privacy Professionals (IAPP) estimates. The need for DPOs is expected to be especially high in data-rich industries, such as tech, Business Process Management, digital marketing, finance, healthcare, hospitality and retail, to name a few only.

What a DPO Needs to know

PDPA Assessment of Systems & Processes

  • Data Privacy, PDPA as well as GDPR & Information Security knowledge.
  • Data flow and inventory process management.
  • Penetration testing of networks and key installations.
  • Vulnerability / Data leakage testing of systems.

Data Protection, Storage, Retrieval & Data Access

  • Establish relevant policies regarding data protection and Cybersecurity
  • Enforce Data Classification solutions.
  • Data loss prevention.
  • Encrypted storage devices.
  • Information rights management.

Data Protection Audits, Training & Support

  • Data protection support programs.
  • Onsite data protection audits.
  • Data Privacy training and eLearning.
  • Information security procedures training.

Response Management, Incident Reporting, Crisis Communication & Policy Reviews

  • Response management training
  • Incident management and containment
  • Evidence gathering
  • Crisis communication
  • Review of policies and thresholds.

Data Protection in Asia

Legislations on personal data are not limited to Singapore. Malaysia, Thailand and Indonesia also have a law that protects personal data, and coincidentally, it is also called PDPA. In Philippines, it is known as the Data Privacy Act.

The General Data Protection Regulations (GDPR) of the European Union (EU) is by far one of the most stringent legislation on personal data protection in the world. Other notable legislations around the world are the California Consumer Protection Act and The Privacy Act of Australia.

Data Protection and Cyber Security

As the world progresses into the digital age where there is greater use and even dependency on the Internet to work and perform several daily tasks like ordering food, book air tickets, and even watch the kids while at work, it is imperative that organisations and even individuals remain safe while online and not fall prey to cyber criminals.

Several data and personal data of organisations sit on several devices and online platforms. Organisations need to beware of the digital and cyber threats because any breach of personal data will result in breach of PDPA. Thus, cyber security and PDPA cannot be dichotomized.

The importance of Data Protection Officers across Asia | Do I need a DPO for my company?