Comprehensive Guide to Data Protection Officer - What SME Owners Need to Know [2023 Edition]

Viewed by 11,343 Smart Towkays

Comprehensive Guide to Data Protection Officer - What SME Owners Need to Know [2023 Edition]

The article was published on 06 Oct 2022 and was most recently updated on 26 Oct 2023

Recent updates from PDPC include the Personal Data Protection Digest 2022 which offers a comprehensive overview of the latest decisions from the PDPC and a collection of insightful data protection articles. Keep yourself informed by accessing the Digest here.

Read also: Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection

According to the Personal Data Protection act (PDPA) it is mandatory for many organizations to designate a data protection officer - DPO.

In fact, most companies could benefit from having a designated DPO. The processing of personal information entails liability risks, and not complying with the PDPA can result in severe penalties, including fines up to SGD 1 million or 10% of annual global turnover. Furthermore, the enhanced financial penalty provisions will take effect starting 1 October 2022.

Data Laws In Singapore 2023

Singapore's Personal Data Protection Act (PDPA), established in 2012, sets out comprehensive guidelines for the handling of personal data, regardless of whether it's in electronic or non-electronic forms.

Under the PDPA, organizations must obligate to the following:

  1. Ensure Accountability: Take responsibility for safeguarding personal data.

  2. Inform Individuals: Notify individuals about the intended purposes of collecting, using, or disclosing their personal data.

  3. Obtain Consent: Only use personal data for purposes with the individual's consent.

  4. Exercise Prudence: Collect, use, and disclose data for reasonable purposes.

  5. Maintain Accuracy: Ensure the accuracy and completeness of collected personal data.

  6. Implement Security Measures: Provide reasonable security measures to protect personal data.

  7. Dispose Responsibly: Cease data collection and ensure proper disposal when data is no longer needed.

  8. Control Data Transfer: Set limitations on data transfer.

  9. Offer Access and Editing Rights: Grant users access and editing rights to their data.

  10. Report Breaches Promptly: Immediately inform users in the event of a data breach.

  11. Ensure Data Portability: Allow data portability for users.

Additionally, the Personal Data Protection (Do Not Call Registry) Regulations 2013 enable individuals to register their Singapore telephone numbers with the DNC Registry to avoid unwanted telemarketing messages.

Non-compliance with certain PDPA provisions is a criminal offense, punishable by fines up to US$7,400 and/or imprisonment for up to three years. For ongoing offenses, an additional fine of up to US$740 per day may apply.

Moreover, the Personal Data Protection (Notification Of Data Breaches) Regulations 2021 require organizations to notify users about data breaches that may affect them.

What is a Data Protection Officer in a nutshell?

A DPO takes responsibility for ensuring that companies comply with PDPA regulations regarding the safe storage and use of personal information.

Furthermore, they work closely with their competent supervisors to ensure a smooth and compli­ant procedure.

A DPO is an employee who has been trained to handle any privacy related issues within their organisation. They provide training to the relevant employees on the proper way to handle personal information in compliance with the PDPA. Additionally, they advise the management on the appropriate course of action if there is a potential violation of the Protection Law.

Data Protection and SMEs

While you may only believe data security concerns large companies, they're essential for small ones too. By implementing data security strategies, you can ensure your company maintains an excellent reputation, avoids operational down time, keeps its data safe from hackers, and guards itself against legal action.

Small businesses should pay special attention to protecting their customer data, as data breaches and losses can cost them a lot of money.

A company that does not properly secure its sensitive data could lose its reputation and face financial penalties. In addition, companies that do not comply with data privacy laws could incur hefty legal fees. These costs can put a small business under financial stress.

Data Protection Officers

Who can be DPO of the company?

Anyone not designated by other organisations can be a DPO. However, it must be someone who has been trained by the company to handle such matters. This person will have to be appointed by the board of directors.

Business owners may send their DPO for various DPO related courses here.

The purpose of DPO

A successful DPO can help companies comply with the law and meet their customer's needs while balancing risk and innovation.

Under the PDPA, the supervisory authorities have many responsibilities including protecting individuals' personal data and protection obligations

What Are Data Protection Rules and Regulations?

These are the data privacy key principles:

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Openness

To ensure that the data is protected, you need to follow the above rules strictly.

What you have to do

When business owners need to hire a DPO, there are clear rules for when they must do so.

  • A mandatory requirement for a private authority or organisation

If your company is a private organisation, then an official designated by the authority must appoint a Data Protection Officer. However, courts acting in their judi­cial role are exempt from this requirement.

  • Mandatory if the main activity involves collecting large amounts of personal information

A core activity is any activity that helps you achieve your key objectives. For example, collecting customer profiles or website visitor statistics would be considered a core activity.

This is distinct from processing data with other non-sensitive uses (e.g., payroll or HR) because they don't involve sensitive data. Hospitals, for instance, wouldn't need an appointed Data Protection Officer. They'd just use the data for its intended purpose.

  • Mandatory if there is a possibility of large scale regular and systematic monitoring

It is not possible to provide an exact figure of people who need to be concerned about large-scale monitoring. However, we can identify some important factors. For example, the size of the population affected, the quantity of data collected, and the geographic scope are three relevant factors.

Regular and systematic monitoring refers to any form of collecting and analyzing information from various sources. For instance, regular and systematic monitoring includes collecting and analyzing user behaviour through web analytics tools.

  • Mandatory if any special category of data is used

Personal information that reveals racial or ethnic origins, or medical and health information, is usually considered especially sensitive and therefore receives extra protection as well as requires protection strategy.

  • Appointment of a DPO

Companies are legally required to appoint a DPO. By doing this, companies can better protect their customers' personal information. A DPO helps ensure good communication between company employees and supervisors, and shows a willingness to comply with regulations. In addition, it allows companies to demonstrate their commitment to improving privacy practices and protecting customer information.

If the supervisory authority is going to impose a fine, having an independent Data Protection Officer (DPO) could be beneficial. Remember though that by having an independent DPO, you're essentially making sure that the same duties apply to you whether you've been ordered to appoint someone or not.

Make sure that your DPO supports your efforts to the same degree as if he/she was doing so himself/herself.

  • Report the DPO to the supervisory authority

Under the Personal Data Protection Act (PDPA), organisations are required to designate at least one individual as the organisation’s DPO, and making the DPO’s business contact information (BCI) publicly available.

Your Data Protection Officer can be kept up-to date with the latest information concerning data protection by subscribing him/her to the PDPC's e-newsletter, DPO connect. 

  • Failing to appoint a DPO may lead to fines

If the company doesn't appoint a DPO, they must document their reasons for waiving the requirement or may lead to fines.

Frequently Asked Questions

Is DPO mandatory for company

Yes. DPO is mandatory for any private companies.

Can I Outsource my DPO to a third party firm?

If an organisation has manpower constraints, they might outsource some operational aspects of their DPO functions to a third party for business continuity. But the overall DPO functions remain the management's responsibilities (protection responsibilities).

What is PII?

Personal Identifiable Information (PII) includes any information that identifies an individual person, including

  • Email address
  • Personal identifiable financial information
  • IP address
  • Mailing address
  • Social Security number
  • Phone number
  • Login ID
  • Social media post

Data breaches happen when organisations don't protect their PII properly. Hack­ers may use the stolen PII for their own benefit.

Inventory Your Data

The first step in protecting your data is to inventory it. This means listing all the types of data you have and where it resides. You can do this using a spreadsheet or online tool like Google Sheets.

Minimize Data Collection

It is important for companies to have a good way of managing their large amounts of unstructured data. Visibility gained from using it allows them to monitor employee use of the data, understands what is required, predicts future needs, and makes the data available and secure, which increases customer confidence in the ability of the company to safeguard its data, promotes business expansion, reduces data costs, and generates revenue.

Be Open with Your Users

The biggest advantage of a data management system is its ability to provide insight into your organization’s data usage. By keeping track of where your data comes from and what it is being stored for, you can better understand how much data you are consuming and whether or not you should invest in additional storage capacity. A data management system also helps you identify unused space within your existing storage infrastructure, allowing you to make efficient use of your resources.

Read also: Comprehensive Guide To Understanding Moneylenders Credit Bureau Report (MLCB)
Read also: Anti-Money Laundering (AML) in Singapore: What are the Compliances and Regulations? [2023 Edition]
Read also: Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection


Got a Question?

WhatsApp Us, Our Friendly Team will get back to you asap :)

Share with us your thoughts by leaving a comment below!

Stay updated with the latest business news and help one another become Smarter Towkays. Subscribe to our Newsletter now!

UPDATED AS OF 30 May 2024
Lowest Business Banking Facilities
Lowest SME Working Capital Loan (WCL) Rate
Per year
Lowest Business Term Loan Rate
Per year
Lowest Home Loan Rate
Per year
Lowest P2P Biz Loan Rate
Per month
Lowest Commercial Property Rate
Per year

Find the Best Loans, Insurance & Credit Cards

Get Our Weekly Newsletter

We value your privacy. We never share your email with 3rd parties. Unsubscribe at any time.