Stay Calm and Respond to PDPC's Letter about your DPO
Updated: Aug 7, 2019
You may have received a letter from the Personal Data Protection Commission (PDPC) about your Data Protection Officer (DPO) and you may be wondering…
What should I do?
Don’t fret, here are some immediate answers to your questions and some ways you can respond.
Select and appoint a DPO
It is mandatory to appoint a DPO under the Personal Data Protection Act. So the first thing you need to do is to figure out who you should appoint as your DPO. The PDPC says that you should take time to assess your needs before appointing a person suitable for the role of a DPO. It goes on to say the possible responsibilities of a DPO may include, but are not limited to, the following:
Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
Manage personal data protection related queries and complaints;
Alert management to any risks that might arise with regard to personal data; and
Liaise with the PDPC on data protection matters, if necessary.
The DPO can be someone in your organisation. Larger organisations might appoint someone specifically to take the DPO as their full-time job. In smaller organisation, it’s more common to see double-hatting - that is, where the responsibilities of a DPO are added to another job role. Sometimes it’s a staff who is responsible for compliance generally, sometimes it’s someone involved in finance, risk or IT. Sometimes the CEO recognises the importance of data protection from the perspective of reputation management and building stakeholder trust and the CEO becomes the DPO. You can also outsource your DPO role to a third party service provider.
After you have selected your DPO appointment is easy. If they are a staff, simply follow your usual process for appointing a staff to a particular role and include the responsibilities of a DPO in their job description; if they are a third party service provider you appoint them in the same way as you appoint any other service provider.
Register your DPO with the PDPC
Registering your DPO with the PDPC is not mandatory. But that’s not to say that it’s not a good idea. Registering your DPO means that the PDPC knows who to contact if they want to discuss any data protection issues or opportunities with you.
You can also make sure that you receive timely updates from the PDPC about new developments by signing up for DPO Connect.
I have appointed a DPO. What else should I do?
First, decide on what kind of help and what budget you have. Your DPO’s first responsibility is to develop and implement policies and processes for handling personal data that ensure you comply with the PDPA.
Here’s where DPOs very often need help - even if they know what is required by the PDPA your DPO might now know how to develop and implement personal data policies and processes. Or to identify and manage risks in relation to the personal data you need to process for business success.
To know more about the PDPA
You can go to www.pdpc.gov.sg and read more, look out for the free advisories organised by the Data Protection Excellence (DPEX) Network or attend this course by SMU Academy.
To get some professional help
From my experience, most professional services only cover the legal aspects of the PDPA or only cover the policy aspects of the PDPA. Some provide PDPA training or consultancy, but not in an operational context. As you can expect, any one of these professional services can cost tens of thousands of dollars. Depending on the state of your PDPA compliance programme, they may not be the best solution even if you are not particularly cost conscious and don’t mind having different service providers to deliver different aspects of your programme.
Instead, consider the Hands-On DPO Training Programme which gets your DPO trained through a privacy workshop and have your legal documents relating to personal data and standard operating procedures reviewed by a qualified and experienced external lawyer as part of the Programme. And whether you would like an independent review of your existing PDPA compliance programme or you are starting from scratch, get consultancy support.
For more established organisations or those who handle large amounts of personal data, it is probably more suitable to engage a team of data protection professionals for an in-house solution. This includes whether you would like an independent review of your existing PDPA compliance programme or you are starting from scratch. Or if you have a European HQ that wants you to comply with both the PDPA and the General Data Protection Regulation (GDPR).
Look out for the data protection professionals with internationally recognized certifications such as the Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP) and Certified Information Privacy Technologist (CIPT), which are awarded by the International Association of Privacy Professionals (IAPP).
What if I want to get certified?
There is a Practitioner's Certification also offered by SMU Academy in collaboration with PDPC. I recommend this ONLY for folks who have a strong foundation in the nine obligations and Do-Not-Call (DNC) rules of the PDPA, and this could be useful for your company branding as you develop your data protection compliance capability.
I have done something, but I am not sure if it is sufficient.
The DPEX Network has attracted a group of data protection professionals across companies who believe in advocating greater awareness and professionalisation of data protection. Leave a message and you will probably get an invitation for a private chat.