A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Singapore requires that all organizations designate one or more individuals as a Data Protection Officer who is responsible for ensuring compliance with the Personal Data Protection Act 2012 (PDPA). Note that there have been enforcement cases due to an organization’s failure to appoint a DPO. The DPO role can be part, or all, of an individual’s job duties, and the DPO can assign others certain data protection responsibilities. Singapore’s Personal Data Protection Commission has suggested that the DPO be selected from senior management, a C-level officer or someone with a direct line of communication to company executives.
DPO responsibilities include:
The DPO’s contact information should be publicly available, and organizations should be able to respond promptly to questions and complaints (PDPA, Sec. 11(5)). As best practice, the DPOs contact information should be readily accessible from Singapore, use a phone number based in Singapore, and be accessible during normal business hours in Singapore, particularly if the DPO is not based in the country.