Under Singapore’s Personal Data Protection Act (PDPA), organizations (such as businesses) are required to appoint at least one individual as their Data Protection Officer (DPO) to ensure their compliance with the PDPA.
Your business’ DPO can be either an employee or a third-party. However, take note that your business is not exempted from fulfilling its data protection obligations just because you have appointed a DPO for it.
This article sets out the responsibilities that you may task your DPO with, and discusses how you can help your DPO fulfil these responsibilities more effectively.
What are the responsibilities of a Data Protection Officer?
The PDPA does not state the responsibilities that your DPO has to undertake. However, you could task your DPO with:
• Crafting and implementing processes and policies for the handling of personal data, in accordance with your business’ data protection obligations;
• Increasing your stakeholders’ (e.g., employees, independent contractors, and business partners) awareness of both these data protection policies and your business’ data protection obligations;
• Handling queries and complaints regarding your business’ protection of personal data;
• Informing management of any data protection-related risks which may arise; and
• Liaising with the Personal Data Protection Commission (PDPC), which administers and enforces the PDPA, where necessary.
Given the importance of such tasks, should you decide to appoint an employee as your DPO, you may consider appointing someone from the middle to senior management levels.
How can you help your Data Protection Officer fulfil their responsibilities?
Here are several ways in which you can enhance your business’ capabilities to help your DPO fulfil his/her responsibilities more effectively:
(1) Send your DPO for a data protection course.
Through these courses, your DPO can gain a better understanding of the scope of his/her responsibilities and the steps he/she can take to ensure your business complies with the PDPA.
(2) Keep your DPO up-to-date on the latest data protection matters.
For example, you can register your DPO with the PDPC. You can also subscribe them to the PDPC’s e-newsletter, DPO Connect. Doing so will keep your DPO informed of the latest matters concerning data protection, upcoming events conducted by the PDPC, and information on where to seek help for data protection matters.
(3) Evaluate your business’ data management processes and frameworks and determine if they are consistent with the 9 mains obligations under the PDPA.
(4) Evaluate which of your business’ databases contain personal data and determine who can access such data, how such data is stored and how long it will be kept.
(5) Identify the areas where the personal data in your business’ possession might be compromised, and craft and implement measures to reduce such risks.
For example, you can arrange for regular internal audits to ensure that your business’ processes comply with Singapore’s data protection laws. You should also make the necessary investments in your business’ security infrastructure and implement secure server practices, such as proper access controls and strong password policies. Finally, you should put in place both physical and online systems to regulate and monitor the movement of personal data out of your business’ premises and computer systems respectively.
(6) Ensure that your employees are familiar with your business’ data protection processes, frameworks and policies.
For example, get your DPO to conduct training workshops for employees on your business’ data protection practices and policies. Your DPO should also regularly update employees of any developments that may affect how your business manages personal data.
(7) Implement a procedure to be followed should a member of the public have a query or complaint on how your business handles personal data.
The procedure should include details such as who the public should contact and how, and whether they have to pay an administration fee when making a request. Take note that the PDPA requires the business contact information of DPOs to be made public.
The DPO should also be competent enough to handle queries and complaints concerning personal data protection on your business’ behalf.
Finally, although the DPO is not required to be physically present in Singapore, they should be readily accessible from Singapore and operational during Singapore business hours.
The role of a DPO is far from straightforward. Therefore, to ensure compliance with the PDPA, it is crucial that your business work alongside your DPO in implementing the relevant data protection policies, processes and frameworks, as well as conducting regular employee training and internal audits.