Under the 2012 Personal Data Protection Act ( PDPA), organizations are expected to establish and enforce policies and practices essential for the fulfillment of their PDPA obligations. Organizations are specifically needed to appoint at least one person, known as the Data Protection Officer (DPO), to oversee the duties of data protection within the organization and to ensure compliance with the PDPA.
To keep abreast of developments in the PDPA, DPOs can register with the PDPC.
An organization can designate one or a team of individuals as its DPO in Singapore.
Organizations are free to analyze and determine, based on their needs, whether the DPO function should be a separate obligation or an additional function within the organization’s current role. In turn, the DPO can assign
those responsibilities to other officers once named.
Outsourcing parts of the DPO role to a service provider can also be considered by organizations with manpower or capacity limitations.
However, note that the DPO role is the responsibility of management and that the outsourcing service can only cover the operational aspects of the DPO role.
Organizations should take time to determine their needs before naming an appropriate individual for the DPO role. A DPO’s potential roles can include the following but are not limited to:
- Ensure PDPA enforcement when designing and
- enforcing Personal Data Management policies and processes;
- Foster a culture of data security among employees and communicate privacy policies to stakeholders;
- Manage questions and grievances relating to the security of personal data;
- Warn management of any risks that can occur concerning personal data; and
- Liaise with the PDPC where appropriate on data security matters
Map out your organization’s personal data inventory.
Evaluate the data protection system and procedures of your company to confirm them with the PDPA, such as deciding how, when and
where your company collects personal data, data collection purposes, and ensuring approval for data collection, use and disclosure have been obtained.
Develop policies to handle personal data in electronic or non-electronic forms.
Evaluate the personal data inventory of the company to decide who has access to personal data, how it is processed, and how long it is kept.
Bear in mind the nine key obligations when doing so, specifically the obligations of the agreement, intent restriction, notice, access and correction, accuracy, security, restriction of retention, limitation of transfer, and accountability.
For example, the Consent Requirement requires organizations to obtain permission from an individual before their personal data are collected, used, or released unless an exception exists, while the Notification Requirement requires organizations to inform individuals of the reasons for which the personal data is collected, used or released.
Organizations should be generally conscious of not over-collecting personal data. For more information on these obligations, and the various situations that can occur under these obligations, please refer to the Advisory Guidance on Key Principles in the Personal Data Protection