Psst. It’s Mandatory.
Under the Personal Data Protection Act 2012 (PDPA), organisations are required to develop and implement policies and practices that are necessary to meet its obligations under the PDPA.
In particular, organisations are required to designate at least one individual, known as the data protection officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
That said, the DPO function need not be a dedicated job role, and can be assigned to existing employees within an organisation, depending on the needs of the organisation.
An organisation may appoint one or a team of persons to be its DPO. Organisations are free to assess and decide, according to their needs, whether the DPO function should be a dedicated responsibility or an additional function within an existing role in the organisation. Once appointed, the DPO may in turn delegate certain responsibilities to other officers.
Organisations should take time to assess their needs before appointing a person suitable for the role of a DPO. The possible responsibilities of a DPO may include, but are not limited to, the following:
- Develop good policies for handling personal data that are in compliance with the PDPA and are suitable to the organisation’s needs;
- Communicate internal data protection policies and processes to employees, customers, and members;
- Handle personal data related queries or complaints;
- Alert the organisation to any risks that might arise with regard to personal data; and
- Liaise with the PDPC on data protection matters, if necessary.
Tips for DPOs to Get Started
1. Map out your organisation’s personal data inventory.
Review your organisation’s data management framework and processes to align them with the PDPA, for example, determining how, when and where your organisation collects personal data, the purposes for the data collection, and ensuring that consent has been obtained for the collection, use and disclosure of the data.
Refer to the PDPC’s Personal Data Protection Checklist for Organisations as a guide to help you review existing policies and to consider ways you can protect the personal data in your organisation’s care.
2. Develop policies to handle personal data in electronic or non-electronic forms.
Review your organisation’s personal data inventory to determine who has access to the personal data, how it is stored, and how long the personal data is kept. Keep in mind the nine main obligations when doing so, specifically, the Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Openness Obligations.
For example, the Consent Obligation requires organisations to obtain an individual’s consent before the collection, use or disclosure of his/her personal data, unless an exception applies, while the Notification Obligation requires organisations to notify individuals of the purposes the personal data is being collected, used or disclosed for.
Generally organisations should be mindful not to over-collect personal data. You may refer to the Advisory Guidelines on Key Concepts in the Personal Data Protection Act for more information on these obligations, and the different scenarios that may apply under these obligations.
3. Conduct a risk assessment exercise to flag out any potential data protection risks, and put in place data protection policies to mitigate those risks.
Review data protection risks within your organisation and come up with mitigating measures to address these issues. For example, your organisation may wish to consider carrying out regular internal audits to ensure that its processes adhere to the PDPA. In the case of a breach, your organisation should also have processes and measures in place to respond to such situations.
4. Keep your employees informed of internal personal data protection processes and policies.
Conduct a briefing to inform your employees of the obligations under the PDPA. Ensure that they are aware of any new developments, as well as any existing laws and contracts that may affect the personal data under your organisation’s care. More importantly, they should be aware of the internal policies and processes your organisation has set in place for the handling of personal data.
Refer to the PDPC’s Quick Guide to the Personal Data Protection Act 2012 for Organisations to get an overview of the nine main obligations under the PDPA, or watch a short video to get an introduction to the PDPA and Do Not Call Registry.
5. Develop processes for handling queries or complaints from the public.
Under the Access and Correction Obligation, a member of the public may request access to their personal data under an organisation’s possession, or enquire about the ways their personal data has been used over the past year. Your organisation should establish a formal procedure to handle such requests, such as the person who is going to address the requests, through which channel these requests will be addressed, and whether an administrative fee (please refer to the Advisory Guidelines on key Concepts in the PDPA, Section 15.24) should be imposed for such requests. Similarly, your organisation should develop a process to receive, investigate, and respond to complaints from the public.
The PDPA sets out an obligation for the business contact information (BCI) of the DPO to be made available to the public. This person, or a team of persons, should be able to answer personal data related queries and complaints on behalf of the organisation. While the PDPC does not prescribe that the DPO should be based in Singapore, organisations need to ensure that the relevant person is readily accessible from Singapore, operational during Singapore business hours, and in the case of telephone numbers, be Singapore telephone numbers – to facilitate prompt response to queries or complaints.
It is also important to educate your customers on what the PDPA means to them, and how your organisation will safeguard their personal data. Organisations should continually review their policies and maintain good data management practices to build trust with their customers in the long term. You may refer your customers to the PDPC's online resources or more information.
Credit / Sources:
Data Protection Officers, PDPC
Common Misconceptions about the PDPA, PDPC
PDPC Ads, PDPC