Free Guide For Appointing a Data Protection Officer (DPO) For Your Business
Appointing a Data Protection Officer is mandatory under the Personal Data Protection Act (PDPA), for organisations (such as businesses) to ensure their compliance with the PDPA.
When appointing a data protection officer, he can be either an employee with a dedicated responsibility or as an additional function within an existing role in the organization, or a third-party, outsourced to a service provider.
However, just appointing a data protection officer does not mean that your organization has fulfilled its data protection obligations, and is just the very first step in your PDPA compliance.
The following sections aims to inform the responsibilities that your DPO has to perform, and how you can help your DPO fulfil these responsibilities more effectively.
8 Tips For Appointing A Data Protection Officer
1. Appointing A Data Protection Officer And Getting Trained
Without training, the employee being tasked to lead the data protection efforts in the organization would not know where to even begin.
Furthermore if the responsibility of a DPO is a secondary function on top of his primary job, a DPO will not have sufficient time to perform all the required research and seek clarity for knowledge.
By attending a data protection course, your DPO will gain better understanding of the scope of his responsibilities and the steps he can take to ensure your business complies with the PDPA, in the shortest amount of time.
2. Keep Your DPO Up-To-Date On The Latest Data Protection Matters
Every organization is encouraged to register their DPO with the PDPC. You can also subscribe him to the PDPC’s e-newsletter, DPO Connect.
Registering your DPO with PDPC will enable them to contact your appointed data protection officer regarding any complaint from the public and seek clarification if required.
While subscribing to the DPO Connect will keep your DPO informed of the latest matters concerning data protection, upcoming events conducted by the PDPC, and information on where to seek help for data protection matters.
3. Ensure Your DPO’s Business Contact Information Is made Available To The Public
This is usually in the form of an email address, and in the case of telephone numbers, be Singapore telephone numbers.
When appointing a Data Protection Officer (DPO), do note that it is not required to be physically present in Singapore, he should still be readily accessible from Singapore and operational during Singapore business hours.
To be fully prepared for any personal data protection query or complaint from the public or PDPC, have team members who are competent to answer personal data related queries and complaints on behalf of the organization, or at least be able to provide an interim reply while the respective matter is brought to the appointed Data Protection Officer’s (DPO) attention.
4.Map Out Your Organization’s Personal Data Inventory
Evaluate your organisation’s data management processes and framework to align them with the 9 main obligations of the PDPA.
Determining how, when and where your organisation collects personal data, the purposes for the data collection, and ensuring that consent has been obtained for the collection, use or disclosure of the data.
5. Develop Policies To Handle Personal Data In Electronic Or Non-Electronic Forms
Review your organisation’s personal data inventory to determine who has access to the personal data, how it is stored, and how long the personal data is kept.
It is a rule of thumb to always remember not to over-collect personal data, but to also take note of the exemptions for each obligation that may apply under those obligations.
6. Conduct Regular Risk Assessment Exercises To Flag Out Any Potential Data Protection Risks, And Put In Place Data Protection Policies To Mitigate Those Risks
Periodically review data protection risks within your organisation and craft out mitigating measures to reduce such risks.
It is good practice to carry out regular internal audits to ensure that its processes adhere to the PDPA. In the case of a breach, your organization should also have processes and measures in place to respond to these situations.
It is also beneficial to arrange for regular audits by an unbiased third party auditing service provider to ensure that your business’ processes comply with the PDPA.
By appointing a Data Protection Officer, an experienced one will be able to advise on the necessary investments in your business’ security infrastructure and implement secure server practices, such as proper access controls and strong password policies.
Finally, you should put in place both physical and online systems to regulate and monitor the transference of personal data out of your business’ premises and computer systems respectively.
7. Keep Your Employees Informed Of Internal Personal Data Protection Processes And Policies
Ensure that your employees are familiar with your business’ data protection processes, frameworks and policies that you have set in place to handle personal data, as soon as they are drafted or whenever there are any new developments.
Conduct in-house trainings to inform your employees of the obligations under the PDPA and their role to play. A secure environment is only as strong as its weakness link.
8. Develop Processes For Handling Queries Or Complaints From The Public
Under the Access and Correction Obligation, any member of the public may request access to their personal data that your organization keeps about them, or enquire about the ways their personal data has been used over the past year.
Your organization should have in place a formal procedure to handle such requests, such as the person who is going to address the requests, through which channel these requests will be addressed, and whether an administrative fee should be imposed for such requests.
Similarly, your organization should develop a process to receive, investigate, and respond to complaints from the public.
Now that you know why appointing a Data Protection Officer is important and legally required, begin your PDPA compliance journey by designating one now.
If your organization is facing capability constraints, consider Privacy Ninja’s outsourced DPO service DPO-As-A-Service.