Free guide for appointing a Data Protection Officer: 8 tips

Free guide for appointing a Data Protection Officer

Appointing a Data Protection Officer is mandatory under the Personal Data Protection Act (PDPA) for organisations (such as businesses) to ensure their compliance with the PDPA.

When appointing a data protection officer, you can either appoint an employee with a dedicated responsibility or as an additional function within an existing role in the organization, or a third-party, outsourced to a service provider. 

However, just appointing a data protection officer does not mean that your organisation has fulfilled its data protection obligations and is just the very first step in your PDPA compliance.

The following sections aim to inform the responsibilities that your DPO has to perform and how you can help your DPO fulfill these responsibilities more effectively.

Also Read: Data governance framework: What organisations in Singapore should know

8 tips for appointing a Data Protection Officer

1. Train the employee appointed as your Data Protection Officer

Without training, the employee being tasked to lead the data protection efforts in the organisation would not know where to even begin. 

Furthermore, suppose the responsibility of a DPO is a secondary function on top of his primary job. In that case, a DPO will not have sufficient time to perform all the required research and clarity for knowledge. 

By attending a data protection course, your DPO will gain a better understanding of the scope of his responsibilities and the steps he can take to ensure your business complies with the PDPA in the shortest amount of time.

2. Keep your DPO up to date on the latest data protection matters

Every organisation is encouraged to register its DPO with the PDPC. You can also require your appointed DPO to subscribe to the PDPC’s e-newsletter, DPO Connect.

Registering your DPO with PDPC will enable them to contact your appointed data protection officer regarding any complaint from the public and seek clarification if required. 

While subscribing to the DPO Connect will keep your DPO informed of the latest matters concerning data protection, upcoming events conducted by the PDPC, and information on where to seek help for data protection matters.

Alternatively, you may also subscribe to Privacy Ninja’s newsletter, a weekly emailer of the latest cybersecurity and data protection updates.

3. Ensure your DPO’s business contact information is made available to the public

Appointing a Data Protection Officer is just the very first step; you will also need to make his/her contact information available to the public, and this is typically displayed on the privacy policy page on an organization’s corporate website. 

This is usually in the form of an email address, and in the case of telephone numbers, be Singapore telephone numbers.

When appointing a Data Protection Officer (DPO), do note that it is not required to be physically present in Singapore; he should still be readily accessible from Singapore and operational during Singapore business hours. 

To be fully prepared for any personal data protection query or complaint from the public or PDPC, have team members who are competent to answer personal data-related queries and complaints on behalf of the organization, or at least be able to provide an interim reply while the respective matter is brought to the appointed Data Protection Officer’s (DPO) attention.

4. Map out your organisation’s personal data inventory

Evaluate your organisation’s data management processes and framework to align them with the nine main obligations of the PDPA.

For example:

Determining how, when, and where your organisation collects personal data, the purposes for the data collection, and ensuring that consent has been obtained for the collection, use or disclosure of the data.

5. Develop policies to handle personal data in electronic or non-electronic forms

Review your organisation’s personal data inventory to determine who has access to the personal data, how it is stored, and how long the personal data is kept.

It is a rule of thumb to always remember not to over-collect personal data but to also take note of the exemptions for each obligation that may apply under those obligations.

6. Conduct regular risk assessment exercises to flag out any potential data protection risks, and put in place data protection policies to mitigate those risks

Periodically review data protection risks within your organisation and craft mitigating measures to reduce such risks.

It’s good practice to carry out regular internal audits to ensure that its processes adhere to the PDPA. In the case of a breach, your organisation should also have processes and measures in place to respond to these situations.

It is also beneficial to arrange for regular audits by an unbiased third-party auditing service provider to ensure that your business’ processes comply with the PDPA.

By appointing a Data Protection Officer, an experienced one will be able to advise on the necessary investments in your business’ security infrastructure and implement secure server practices, such as proper access controls and strong password policies.

Finally, you should put in place both physical and online systems to regulate and monitor the transference of personal data out of your business’ premises and computer systems, respectively.

7. Keep your employees informed of internal personal data protection processes and policies

Ensure that your employees are familiar with your business’ data protection processes, frameworks, and policies that you have set in place to handle personal data as soon as they are drafted or whenever there are any new developments.

Conduct in-house training to inform your employees of the obligations under the PDPA and their role to play. A secure environment is only as strong as its weakest link.

8. Develop processes for handling queries or complaints from the public

Under the Access and Correction Obligation, any member of the public may request access to the personal data that your organisation keeps about them or enquire about the ways their personal data has been used over the past year. 

Your organisation should have in place a formal procedure to handle such requests, such as the person who is going to address the requests, through which channel these requests will be addressed, and whether an administrative fee should be imposed for such requests. 

Similarly, your organisation should develop a process to receive, investigate, and respond to complaints from the public.

Conclusion

Now that you know why appointing a Data Protection Officer is important and legally required, begin your PDPA compliance journey by designating one now. 

If your organisation is facing capability constraints, consider Privacy Ninja’s outsourced DPO service DPO-As-A-Service.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry