Comprehensive Guide to Data Protection Officer - What SME Owners need to know 2022



According to the Personal Data Protection act (PDPA) it is mandatory for many organizations to designate a data protection officer - DPO.

In fact, most companies could benefit from having a designated DPO. The processing of personal information entails liability risks, and not complying with the PDPA can result in severe penalties, including fines up to SGD 1 million or 10% of annual global turnover. Furthermore, the enhanced financial penalty provisions will take effect starting 1 October 2022.

A DPO takes responsibility for ensuring that companies comply with PDPA regulations regarding the safe storage and use of personal information.

Furthermore, they work closely with their competent supervisors to ensure a smooth and compli­ant procedure.

A DPO is an employee who has been trained to handle any privacy related issues within their organisation. They provide training to the relevant employees on the proper way to handle personal information in compliance with the PDPA. Additionally, they advise the management on the appropriate course of action if there is a potential violation of the Protection Law.

Data Protection and SMEs

While you may only believe data security concerns large companies, they're essential for small ones too. By implementing data security strategies, you can ensure your company maintains an excellent reputation, avoids operational down time, keeps its data safe from hackers, and guards itself against legal action.

Small businesses should pay special attention to protecting their customer data, as data breaches and losses can cost them a lot of money.

A company that does not properly secure its sensitive data could lose its reputation and face financial penalties. In addition, companies that do not comply with data privacy laws could incur hefty legal fees. These costs can put a small business under financial stress.

Data Protection Officers

Who can be DPO of the company?

Anyone not designated by other organisations can be a DPO. However, it must be someone who has been trained by the company to handle such matters. This person will have to be appointed by the board of directors.

Business owners may send their DPO for various DPO related courses here

The purpose of DPO

A successful DPO can help companies comply with the law and meet their customer's needs while balancing risk and innovation.

Under the PDPA, the supervisory authorities have many responsibilities including protecting individuals' personal data and protection obligations

What Are Data Protection Rules and Regulations?

These are the data privacy key principles:

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Openness

To ensure that the data is protected, you need to follow the above rules strictly.

What you have to do

When business owners need to hire a DPO, there are clear rules for when they must do so.

• A mandatory requirement for a private authority or organisation

If your company is a private organisation, then an official designated by the authority must appoint a Data Protection Officer. However, courts acting in their judi­cial role are exempt from this requirement.

• Mandatory if the main activity involves collecting large amounts of personal information
  

A core activity is any activity that helps you achieve your key objectives. For example, collecting customer profiles or website visitor statistics would be considered a core activity.

This is distinct from processing data with other non-sensitive uses (e.g., payroll or HR) because they don't involve sensitive data. Hospitals, for instance, wouldn't need an appointed Data Protection Officer. They'd just use the data for its intended purpose.

• Mandatory if there is a possibility of large scale regular and systematic monitoring

It is not possible to provide an exact figure of people who need to be concerned about large-scale monitoring. However, we can identify some important factors. For example, the size of the population affected, the quantity of data collected, and the geographic scope are three relevant factors.

Regular and systematic monitoring refers to any form of collecting and analyzing information from various sources. For instance, regular and systematic monitoring includes collecting and analyzing user behaviour through web analytics tools.

• Mandatory if any special category of data is used

Personal information that reveals racial or ethnic origins, or medical and health information, is usually considered especially sensitive and therefore receives extra protection as well as requires protection strategy.

• Appointment of a DPO

Companies are legally required to appoint a DPO. By doing this, companies can better protect their customers' personal information. A DPO helps ensure good communication between company employees and supervisors, and shows a willingness to comply with regulations. In addition, it allows companies to demonstrate their commitment to improving privacy practices and protecting customer information.

If the supervisory authority is going to impose a fine, having an independent Data Protection Officer (DPO) could be beneficial. Remember though that by having an independent DPO, you're essentially making sure that the same duties apply to you whether you've been ordered to appoint someone or not.

Make sure that your DPO supports your efforts to the same degree as if he/she was doing so himself/herself.

• Report the DPO to the supervisory authority

Under the Personal Data Protection Act (PDPA), organisations are required to designate at least one individual as the organisation’s DPO, and making the DPO’s business contact information (BCI) publicly available.

Your Data Protection Officer can be kept up-to date with the latest information concerning data protection by subscribing him/her to the PDPC's e-newsletter, DPO connect. 

• Failing to appoint a DPO may lead to fines

If the company doesn't appoint a DPO, they must document their reasons for waiving the requirement or may lead to fines.


Frequently Asked Questions

Is DPO mandatory for company

Yes. DPO is mandatory for any private companies.


Can I Outsource my DPO to a third party firm?

If an organisation has manpower constraints, they might outsource some operational aspects of their DPO functions to a third party for business continuity. But the overall DPO functions remain the management's responsibilities (protection responsibilities).

What is PII?

Personal Identifiable Information (PII) includes any information that identifies an individual person, including

• Email address
• Personal identifiable financial information
• IP address
• Mailing address
• Social Security number
• Phone number
• Login ID
• Social media post

Data breaches happen when organisations don't protect their PII properly. Hack­ers may use the stolen PII for their own benefit.

Inventory Your Data

The first step in protecting your data is to inventory it. This means listing all the types of data you have and where it resides. You can do this using a spreadsheet or online tool like Google Sheets.

Minimize Data Collection

It is important for companies to have a good way of managing their large amounts of unstructured data. Visibility gained from using it allows them to monitor employee use of the data, understands what is required, predicts future needs, and makes the data available and secure, which increases customer confidence in the ability of the company to safeguard its data, promotes business expansion, reduces data costs, and generates revenue.

Be Open with Your Users

The biggest advantage of a data management system is its ability to provide insight into your organization’s data usage. By keeping track of where your data comes from and what it is being stored for, you can better understand how much data you are consuming and whether or not you should invest in additional storage capacity. A data management system also helps you identify unused space within your existing storage infrastructure, allowing you to make efficient use of your resources.