Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA. In particular, organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
DPOs may register with the PDPC to keep abreast of developments in the PDPA.
An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.
Organisations with manpower or capability constraints can also consider outsourcing parts of the DPO function to a service provider. Do note, however, that the DPO function is management's responsibility and that the outsourcing service should cover only the operational aspects of the DPO function. Please click here for the list of data protection service providers.
Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:
- Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
- Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
- Manage personal data protection related queries and complaints;
- Alert management to any risks that might arise with regard to personal data; and
- Liaise with the PDPC on data protection matters, if necessary.
To build personal data protection capabilities of DPOs and organisation representatives engaged in data protection compliance, a two-day course, Fundamentals of the Personal Data Protection Act, has been developed under the Business Management Workforce Skills Qualifications (BM WSQ) framework.
Tips for DPOs to Get Started
Map out your organisation’s personal data inventory.
Review your organisation’s data management framework and processes to align them with the PDPA, for example, determining how, when and where your organisation collects personal data, the purposes for the data collection, and ensuring that consent has been obtained for the collection, use and disclosure of the data.
Develop policies to handle personal data in electronic or non-electronic forms.
Review your organisation’s personal data inventory to determine who has access to the personal data, how it is stored, and how long the personal data is kept. Keep in mind the nine main obligations when doing so, specifically, the Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Accountability obligations.
For example, the Consent Obligation requires organisations to obtain an individual’s consent before the collection, use or disclosure of his/her personal data, unless an exception applies, while the Notification Obligation requires organisations to notify individuals of the purposes the personal data is being collected, used or disclosed for.Generally organisations should be mindful not to over-collect personal data. You may refer to the Advisory Guidelines on Key Concepts in the Personal Data Protection Act for more information on these obligations, and the different scenarios that may apply under these obligations.
Conduct a risk assessment exercise to flag out any potential data protection risks, and put in place data protection policies to mitigate those risks.
Review data protection risks within your organisation and come up with mitigating measures to address these issues. For example, your organisation may wish to consider carrying out regular internal audits to ensure that its processes adhere to the PDPA. In the case of a breach, your organisation should also have processes and measures in place to respond to such situations.
Keep your employees informed of internal personal data protection processes and policies.
Conduct a briefing to inform your employees of the obligations under the PDPA. Ensure that they are aware of any new developments, as well as any existing laws and contracts that may affect the personal data under your organisation’s care. More importantly, they should be aware of the internal policies and processes your organisation has set in place for the handling of personal data.
Refer to the PDPC’s Quick Guide to the Personal Data Protection Act 2012 for Organisations to get an overview of the nine main obligations under the PDPA, or watch a short video to get an introduction to the PDPA and Do Not Call Registry.
Develop processes for handling queries or complaints from the public.
Under the Access and Correction Obligation, a member of the public may request access to their personal data under an organisation’s possession, or enquire about the ways their personal data has been used over the past year. Your organisation should establish a formal procedure to handle such requests, such as the person who is going to address the requests, through which channel these requests will be addressed, and whether an administrative fee (please refer to the Advisory Guidelines on Key Concepts in the PDPA, Section 15.24) should be imposed for such requests. Similarly, your organisation should develop a process to receive, investigate, and respond to complaints from the public.
The PDPA sets out an obligation for the business contact information (BCI) of the DPO to be made available to the public. This person, or a team of persons, should be able to answer personal data related queries and complaints on behalf of the organisation. While the PDPC does not prescribe that the DPO should be based in Singapore, organisations need to ensure that the relevant person is readily accessible from Singapore, operational during Singapore business hours, and in the case of telephone numbers, be Singapore telephone numbers – to facilitate prompt response to queries or complaints.
It is also important to educate your customers on what the PDPA means to them, and how your organisation will safeguard their personal data. Organisations should continually review their policies and maintain good data management practices to build trust with their customers in the long term. You may refer your customers to the PDPC's online resources or more information.
DPO Connect e-Newsletter
If you are a DPO and wish to be included as part of the PDPC’s future outreach efforts to DPOs, you may wish to consider subscribing to the PDPC’s e-newsletter, DPO Connect.
By subscribing, you will be kept informed on the following:
- Relevant updates on data protection related matters.
- Updates on upcoming events organised by the PDPC.
- Information on where to seek assistance for data protection related matters.