Posted on by

Fall in line: What is the role of a Data Protection Officer at a startup?

data protection

As the world pushes for digitalisation, the amount of data being collected or exchanged digitally has increased over the years. With each app download or website signup and for every harmless checkout at that e-commerce platform, we leave traces of our data up for collection in the digital space.

The socio-economic implications of such staggering data can no longer be put on the backburner. In Southeast Asia, governments understand that principles and guidelines have to be established in order to promote and strengthen personal data protection in the region.

In Singapore, the Personal Data Protection Act (PDPA) of 2012 set in motion the call for businesses to align themselves with various rules governing the collection, use, and disclosure and care of personal data. As a subset of this law, appointing a Data Protection Officer (DPO) is mandatory for organisations (including businesses) to ensure their compliance with the PDPA.

A DPO can be either an employee with a dedicated responsibility or as an additional function within an existing role in the organisation, or a third-party, outsourced to a service provider. The important question is, what do DPOs do exactly?

Roles and responsibilities

  • Ensure compliance of PDPA when developing and implementing policies and processes for handling personal data;
  • Foster a data protection culture among employees and communicate personal data protection policies to stakeholders;
  • Manage personal data protection related queries and complaints;
  • Alert management to any risks that might arise with regard to personal data; and
  • Liaise with the PDPC on data protection matters, if necessary.

Dexter Ng, Chief Technology Officer at AntiHack.me (a cybersecurity company) adds that, “It is the DPO’s responsibility to ensure organisations with websites and mobile apps that collect data have reasonable security measures in place, such as conducting yearly penetration tests.”

Also Read: 4 perks of continuous data protection for businesses

However, just appointing a Data Protection Officer does not mean that your organisation has fulfilled its data protection obligations and is just the very first step in your PDPA compliance.

Training for DPOs are a must

Without training, the employee is tasked to lead the data protection efforts in the organisation would not know where to even begin.

Furthermore, if the responsibility of a DPO is a secondary function on top of his primary job, they will not have sufficient time to perform all the required research and seek clarity for knowledge.

By attending a data protection course, your DPO will gain a better understanding of the scope of his responsibilities and the steps he can take to ensure your business complies with the PDPA, in the shortest amount of time.

For instance, Singapore startup Privacy Ninja conducts regular training for appointed DPOs in order to give them an overview and understanding of the nine core PDPA obligations and more.

I believe that education is key to being a proficient and competent DPO for any organisation. Understanding the fundamental requirements of the PDPA is essential to formulating your organisation’s Data Protection Management Programme.

One of those who underwent such training is Alvin Decruz, Head of Engineering of tech startup and digital publishing house Tickled Media. “Privacy Ninja is knowledgeable and professional in what they do,” Alvin shared. “We engaged them to conduct PDPA training for my staff and everyone greatly benefitted. I am safe to say we are much more aware and aligned to the PDPA’s regulations.”

Every organisation is encouraged to register their DPO with the PDPC. Additionally, the appointed DPO can subscribe to the PDPC’s e-newsletter, DPO Connect.

Subscribing to the DPO Connect will keep your DPO informed of the latest matters concerning data protection, upcoming events conducted by the PDPC, and information on where to seek help for data protection matters.

Also Read: Ignorance is never bliss: What a whitehat taught me about data privacy

Transparency is sexy

Appointing a Data Protection Officer is just the very first step, you will also need to make his/her contact information available to the public, and this is typically displayed on the privacy policy page on an organisation’s corporate website.

Since the month of May 2020, PDPC has collaborated with the Accounting and Corporate Regulatory Authority (ACRA) of Singapore to develop an e-service to enable business entities to register their DPO Business Contact Information (BCI) on ACRA Bizfile+, making it publicly available, which is another mandatory requirement.

For organisations that have previously registered their DPO with PDPC, PDPC encourages such organisations to register their DPO again in ACRA BizFile⁺ to ensure that the DPO’s details will be accurate and updated.

This is usually in the form of an email address, and in the case of telephone numbers, be Singapore telephone numbers.

While appointed DPOs are not required to be physically present in Singapore, they should still be readily accessible from Singapore and operational during Singapore business hours.

To be fully prepared for any personal data protection query or complaint from the public or PDPC, have team members who are competent to answer personal data related queries and complaints on behalf of the organisation, or at least be able to provide an interim reply while the respective matter is brought to the appointed DPO’s attention.

The startups’ dilemma

For startups in Singapore, appointing a DPO from among the existing team members might pose a dilemma. Every member may already have their plates full of business-related tasks, and adding a DPO role on top of it may prove to be too much. On the flip side, hiring a full-time DPO can mean straining the company budget further.

Privacy Ninja understands it too well, being a startup themselves. Hence, seeing a need and lapse in this area, they formed a well-rounded DPO team to provide their expertise to businesses in Singapore, targeting SMEs that face resource constraints in developing their in-house DPO capabilities.

Privacy Ninja’s outsourced Data Protection Officer function, DPO-As-A-Service, allows your business to fully adhere to PDPA compliance without straining your budget or manpower. This includes performing “surprise” audits on the company, developing the necessary policies and data protection documentation, and round-the-clock data protection support and assistance.

Also Read: 10 data security predictions by Gartner for the year 2020

In a nutshell, if your business operates in Singapore and you haven’t appointed a DPO for your company yet, don’t wait until the government slaps you with hefty penalties, which from past enforcement cases typically ranges from SG$5,000 (US$3,600) to SG$20,000 (US$14,600).

Now is the best time to begin your journey toward full compliance of the PDPA law.

Register for How startups can use writing to build thought leadership

Editor’s note: e27 aims to foster thought leadership by publishing contributions from the community. Become a thought leader in the community and share your opinions or ideas and earn a byline by submitting a post.

Join our e27 Telegram group, or like the e27 Facebook page

Image Credit: Yura Fresh on Unsplash

The post Fall in line: What is the role of a Data Protection Officer at a startup? appeared first on e27.