Data Protection Officer
5 things to know about the DPO
All organisations need to appoint a Data Protection Officer
DPO
Under the PDPA, organisations are required to designate at least one individual as the data protection officer (DPO) to oversee data protection responsibilities and ensure compliance with the PDPA. The DPO function may be a dedicated responsibility or added to an existing role in the organisation.
1. Is it mandatory to appoint a DPO?
Yes. All organisations, regardless of size, must appoint an individual or team of persons to be its DPO, to be responsible for ensuring the organisation’s compliance with the PDPA. Failure to appoint a DPO may lead to an investigation and fine by the Personal Data Protection Commission (PDPC).
2. What Qualifications are required for the DPO?
The PDPA does not prescribe specific qualifications required for an individual to be a DPO. However, as a compliance requirement, the DPO should be appointed “on the basis of professional qualities” and not simply appointed within the organisation based on whoever is willing to take on the role.
The appointed DPO should be adequately equipped with the relevant knowledge on PDPA. To this end, the organisation should ensure it appoints a suitable candidate(s) to be its DPO to effectively assist the organisation in its compliance with the PDPA.
3. What are the responsibilities of the DPO?
The responsibilities of a DPO include, but are not limited to:
-
Develop and implement policies and processes to ensure compliance with the PDPA;
-
Foster a data protection culture among employees;
-
Communicate personal data protection policies to stakeholders;
-
Manage queries and complaints with regards to personal data
-
Highlight any risks that might arise with regard to personal data; and
-
Liaise with the PDPC on personal data protection matters, when necessary.
4. Must the DPO be based in Singapore?
No. There is no requirement for the DPO to be a Singapore citizen, or based in Singapore. However, the PDPC recommends that the DPO be readily contactable from Singapore and available during Singapore business hours.
The telephone number of the DPO provided should be a Singapore telephone number as it would facilitate the organisation’s ability to respond promptly to any complaint or query related to personal data.
5. Are there courses for the DPO?
Several courses are run locally to build key competencies for DPOs.
Certification courses offered locally include the following:
- Practitioner Certificate in Personal Data Protection (Singapore) Preparatory Course (2020)
- Professional Conversion Programme (PCP) for Data Protection Officers
- Certified Information Privacy Manager Programme
- Certified Information Privacy Technologist Programme
- Hands-on Data Protection Officer Training Programme - Enabling New Competencies for the Data Protection Officer & Complying with the Personal Data Protection Act
- Certified Information Privacy Professional Asia Programme
- Certified Information Privacy Professional Europe Programme
- Advanced Certificate in Data Protection and Operational Excellence
- Advanced Certificate in Data Protection Principles
At Privacy Matters Pte Ltd, we also offer in-house training sessions specifically for DPOs.