Appointing a Data Protection Officer (DPO) is Mandatory in Singapore

The Personal Data Protection Act (2012) is Singapore’s data protection law governing the collection, use and disclosure of personal data belonging to individuals.  Section 11 of the Act states that an organisation shall designate at least one individual, known as the Data Protection Officer, to be responsible for ensuring compliance with the Act, and to make available to the public the business contact information (BCI) of this person(s) – that is, to also register data protection officer.

Understandably, while organisations may adhere to the basic requirement of registering Data Protection Officer from one of their own, this doesn’t necessarily translate to reaching the desired compliance level. So in today’s landscape where the wise allocation of time and resources is critical, a wiser, more prudent choice has sprung up: that of outsourcing your Data Protection officer. To this end, Privacy Ninja’s DPO-As-A-Service was born, aiming to serve organisations with the highest compliance standards and the best operational obligations on an annual basis, in order to enable companies to focus on growing their businesses.

ENGAGE PRIVACY NINJA AS YOUR DPO!: Outsourced DPO As A Service

Where to Register Data Protection Officer (DPO) of Your Company

Previously, organizations could register Data Protection Officers directly with the Personal Data Protection Committee (PDPC) via an online web form. However, as of May 2020, the PDPC has collaborated with the Accounting and Corporate Regulatory Authority (ACRA) to develop an eService to enable business entities registered with ACRA (including sole-proprietorships, partnerships, limited partnerships, limited liability partnerships and companies) to register and update their DPO’s BCI via ACRA’s BizFile+ portal using their CorpPass accounts.

With this collaboration, the PDPC will no longer accept registrations and updates of DPO BCI from ACRA registered organisations via its web-forms. DPOs of organisations not registered with ACRA (e.g. Societies) may continue to register with the PDPC via the PDPC web-form.

PDPC will be sending an email to organizations’ CorpPass Admin’s email address(es), to inform them the availability of this new eService. These emails will be sent in batches from 24 June 2020 onwards.

PRO TIP: Hiring an in-house DPO can be costly and time-consuming, especially when you’re a startup or SME. We at Privacy Ninja understand this too well, that is why we launched the DPO-As-A-Service model, whereby you can outsource your DPO operational obligations to us on an annual basis, while you focus on growing your business. To know more about this subscription and how you can avail of it, click here.

Also Read: The FREE Guide To The 9 Obligations Of PDPA

Why is it Important?

The PDPA is a complaints based regime, where the PDPC is obligated to follow up and investigate on every complaint made. The common types of complaints made can include:

• Individuals unhappy with how your organization is processing their personal data
• Accidental disclosure of personal data due to system glitch
• Unauthorized disclosure of personal data due to data breach (malicious hacking or loss of work device/storage media)
• Competitor reporting on your data protection practices or failure to appoint or register data protection officer

Since appointing of a DPO and making his/her BCI publicly available is a mandatory requirement, even if you missed out inserting this information into your website’s privacy policy, by registering the information on ACRA Bizfile+ will fulfill that criteria, and save you the hassle of explaining to the PDPC when an investigation is launched. See how Privacy Ninja’s DPO-As-A-Service model lets you save time and cost while adhering to the full compliance of the data privacy laws.

Also Read: Free 8 Steps Checklist for Companies to Prevent Data Breach

How can someone tell if you do not have a DPO?

With this new change to register Data Protection Officer of organizations with ACRA Bizfile+, anyone can search for your entity name or UEN number on ACRA Bizfile+, without the need to login with SingPass or CorpPass.

A new feature called “Data Protection Officer(s)” is now available, which site visitors can click on to view the BCI of the registered DPO.

If your organization has registered its DPO, the BCI will be publicly available, showing:

• DPO Name
• DPO Contact No.
• DPO Email Address

Penalties for Organizations that do not have a DPO

Section 29(1) of the PDPA provides that the PDPC may, if it is satisfied that an organisation is not complying with any of the Data Protection Provisions, give the organisation such directions as the PDPC thinks fit in the circumstances to ensure the organisation’s compliance with that provision.

Section 29(2) of the PDPA further provides that the PDPC may (without prejudice to section 29(1) of the PDPA) give an organisation that is not complying with any of the Data Protection Provisions any or all of the following directions:

• to stop collecting, using or disclosing personal data in contravention of the PDPA;
• to destroy personal data collected in contravention of the PDPA;
• to comply with any direction of the PDPC under section 28(2) of the PDPA;
• to pay a financial penalty of such amount not exceeding $1 million as the PDPC thinks fit.

It has been seen from past enforcement cases that Organizations that failed to appoint a Data Protection Officer have had financial penalties ranging from $5000 to $20,000.

Who should you appoint as your DPO?

When appointing a Data Protection Officer, he/she can be either an employee with a dedicated responsibility or as an additional function within an existing role in the organization.

Organizations should take due care and consideration in determining the best person to take on this appointment, to entrust that this person will be responsible to lead the PDPA compliance for the organization and be the point-of-contact for PDPC for any data protection matters.  

However, just appointing a data protection officer does not mean that your organization has fulfilled its data protection obligations, and is just the very first step in your PDPA compliance.

Read Also: Free Guide For Appointing A Data Protection Officer (2020)

Appoint Privacy Ninja as your DPO

Organizations with capability constraints can also consider engaging a professional data protection service provider like Privacy Ninja, outsourcing the operational aspects of the Data Protection Officer role.

Many SMEs have signed up for Privacy Ninja’s DPO-As-A-Service annual subscription, an affordable outsourced DPO functions package to help your organization meet its compliance.