Under the 2012 Personal Data Protection Act ( PDPA), organizations are expected to establish and enforce policies and practices essential for fulfilling their PDPA obligations. Organizations are specifically needed to appoint at least one person, known as the Data Protection Officer (DPO), to oversee data protection duties within the organization and ensure compliance with the PDPA. To keep abreast of developments in the PDPA, DPOs can register with the PDPC.
DPO in Singapore.
In turn, the DPO can assign
those responsibilities to other officers once named. Organizations are free to analyze and determine, based on their needs, whether the DPO function should be a separate obligation or an additional function within the organization’s current role.
Organizations can also consider outsourcing parts of the DPO role to a service provider with workforce or capacity limitations.
However, note that the DPO role is the responsibility of management and that the outsourcing service can only cover the operational aspects of the DPO role.
Organizations should take time to determine their needs before naming an appropriate individual for the DPO role. A DPO’s potential roles can include the following but are not limited to:
- Ensure PDPA enforcement when designing and
- enforcing Personal Data Management policies and processes;
- Foster a culture of data security among employees and communicate privacy policies to stakeholders;
- Manage questions and grievances relating to the security of personal data;
- Warn management of any risks that can occur concerning personal data; and
- Liaise with the PDPC where appropriate on data security matters
Tips for DPOs to Get Started
Map out your organization’s personal data inventory.
Evaluate your company’s data protection system and procedures to confirm them with the PDPA, such as deciding how, when, and
where your company collects personal data, data collection purposes, and ensuring approval for data collection, use, and disclosure have been obtained.
Develop policies to handle personal data in electronic or non-electronic forms.
Evaluate the personal data inventory of the company to decide who has access to personal data, how it is processed, and how long it is kept.
Bear in mind the nine key obligations when doing so, specifically the agreement’s obligations, intent restriction, notice, access and correction, accuracy, security, restriction of retention, limitation of transfer, and accountability.
For example, the Consent Requirement requires organizations to obtain permission from individuals before their personal data is collected, used, or released unless an exception exists. In contrast, the Notification Requirement requires organizations to inform individuals of why personal data is collected, used, or released.
Organizations should be generally conscious of not over-collecting personal data. For more information on these obligations and the various situations under these obligations, please refer to the Advisory Guidance on Key Principles in Personal Data Protection.