What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Singapore requires that all organizations designate one or more individuals as a Data Protection Officer who is responsible for ensuring compliance with the Personal Data Protection Act 2012 (PDPA). Note that there have been enforcement cases due to an organization’s failure to appoint a DPO. The DPO role can be part, or all, of an individual’s job duties, and the DPO can assign others certain data protection responsibilities. Singapore’s Personal Data Protection Commission has suggested that the DPO be selected from senior management, a C-level officer or someone with a direct line of communication to company executives.
DPO responsibilities include:
- ensuring policies and procedures are in compliance with the PDPA during the development/implementation of processes for handling personal data, including questions and complaints;
- fostering a data protection culture and communicating policies to stakeholders;
- managing questions and complaints as it relates to personal data, including sharing information relating to the company’s personal data protection practices and policies;
- alerting management of any potential risks relating to personal; and,
- liaising with Singapore’s Personal Data Protection Commission, when required.
The DPO’s contact information should be publicly available, and organizations should be able to respond promptly to questions and complaints (PDPA, Sec. 11(5)). As best practice, the DPOs contact information should be readily accessible from Singapore, use a phone number based in Singapore, and be accessible during normal business hours in Singapore, particularly if the DPO is not based in the country.