Under the PDPA, organisations are required to designate at least one individual as the data protection officer (DPO) to oversee data protection responsibilities and ensure compliance with the PDPA. The DPO function may be a dedicated responsibility or added to an existing role in the organisation. The appointed DPO may also delegate certain responsibilities to other officers.
Responsibilities of the DPOThe responsibilities of a DPO include, but are not limited to:
- Ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data;
- Fostering a data protection culture among employees and communicating personal data protection policies to stakeholders;
- Managing personal data protection-related queries and complaints;
- Alerting management to any risks that might arise with regard to personal data; and
- Liaising with the PDPC on data protection matters, if necessary.
DPOs are encouraged to kick-start the implementation of data protection policies and processes using PDPC’s free-to-use resources such as sample clauses, templates, communication materials and tools available here.
Organisations may hire a DPO under the Professional Conversion Programme (PCP) for Data Protection Officers scheme which provides skills conversion to train and place professionals, managers, executives and technicians (PMETs) in a DPO role.
Outsourcing of DPO function
Organisations with manpower constraints may outsource operational aspects of the DPO function to a service provider. However, the overall DPO function remains the management's responsibility.
Data Protection-as-a-Service (DPaaS) is an alternative for organisations to outsource their data protection functions. Organisations may approach any of the listed providers who registered with the Infocomm Media Development Authority (IMDA) to get started on basic data protection practices. For more information, please visit the IMDA website.