Singapore
  • Hong Kong
  • UK
  1. Osome Blog Singapore
  2. All You Need to Know About Appointing a Data Protection Officer For Your Company

All You Need to Know About Appointing a Data Protection Officer For Your Company

All You Need to Know About Appointing a Data Protection Officer For Your Company

A Data Protection Officer (DPO) is someone all businesses in Singapore, no matter how big or small, have to have. Fail to do so, and risk being slapped with hefty fines. That's the way the Singapore government enforces laws around data privacy under the Personal Data Protection Act (PDPA).

All this sounds like extra work for entrepreneurs. At this point if you need to quickly talk to a human about your question on registering this Data Protection Officer, our professional company secretaries will assist you, just drop us a chat. You might have questions on who should be a Data Protection Officer and how you go about appointing one for your company. This article will answer your questions so that your businesses stay compliant, avoid fines, and you save some money.

The Role of the Data Protection Officer

Data protection officer (DPO) ensures your company processes personal data in compliance with the data protection rules. That includes personal data of your staff, customers, providers or any other individuals you deal with.

‌‌‌‌At the top of the list, these are a few of an officer’s responsibilities:‌‌‌‌

1. Makes sure that your current practices conform with the PDPA. An officer does this by auditing the storing and usage of data in the company, both on paper (hard copy) or electronically (soft copy). ‌‌‌‌

2. Handles questions and complaints from employees or customers related to data protection in your company.

3. Advocates the importance of data privacy within your company‌‌‌‌

4. Alerts you and your other management team should they spot any risks

‌‌‌‌5. Liaises with the Personal Data Protection Commission (PDPC), Singapore's primary data protection authority, and gets updates to any changes on data protection matters and further training. ‌

‌Types of Complaints your Data Protection Officer would Deal with

As companies are collecting and managing even more data, there will be more reports and complaints on how companies manage it. These complaints are just some of what your officer would face.

1. A competitor reporting on your subpar data protection practices or even a failure to appoint a DPO.

What? Is it that easy for someone to tell if you don’t have a Data Protection Officer?

Yes, it is hardly mission impossible. One only needs to go to ACRA BizFile+ and search for your company name or UEN number without any login needed. This information is publicly available.

First, search the ACRA Register for the company name. Try searching for Osome.

How to find information on Data Protection Officer on Acra - Search the company

You can then find a field titled: Data Protection Officer(s).

How to find information on Data Protection Officer on Acra - Find the correct company

Click ‘here’ to get the information on our own Data Protection Officer. ‌‌‌‌‌‌

Search for information on Data Protection Officer on ACRA

Simple, right?

2. Complaints by individuals who are not satisfied with how your business is processing their personal data

Tinky Snaps set up a booth at an event to market their photo booth services. They took photos of their staff working at the company’s booth and uploaded the photos on Facebook. A member of the public saw their photo on the album which has been taken without their permission. They requested for the photo to be taken down.

3. Accidental disclosure of personal data

Vivito Printing has a file on their clients’ account holder’s names, emails, office phone numbers, and office addresses. Being a printing company, they sent the data of their account holders to be printed in letters by mistake. The letters were then mistakenly mailed out to other account holders. Whoops. This could have been avoided if they had better data protection practices.

4. Unauthorized disclosure of personal data due to data breaches

Restaurant Ho-kiddo Ramen’s payroll software application lets employees view their electronic payslips and allows supervisors to confirm attendance of their staff. It also contains the contact number and addresses of their staff. The software was hosted on a server without firewall protection installed, and left the company's systems open to a ransomware attack.

Does My Singapore Company Really Need to Appoint a Data Protection Officer?

Absolutely yes, or expect to pay up. In 2017, a tuition agency Championtutor was fined $5,000 for failing to appoint a data protection officer.

Should a member of the public complain against your company to the PDPC, your Data Officer would be the main point of contact with the PDPC while you manage your business growth. ‌‌‌‌Your Data Officer would review your company’s policies in the first place to prevent such complaints from happening, and save your company money from hefty fines. Horizon Fast Ferry which provides ferry services between Singapore and Batam was fined $54,000 in 2019 for simply failing to appoint a data protection officer, and put in place arrangements to protect their employees’ and customers’ data. A breach had not occurred yet. This is how serious the Singapore authorities take data protection. ‌‌‌‌

So now, how do I appoint a Data Protection Officer?

  1. First, decide who will be your officer.‌‌‌‌

Will the officer be someone within your business or a team of people? You don’t need to hire someone specifically for the position. It can be an added responsibility for one of your employees. Whichever option you choose, the person needs to understand your IT processes. They should also have the right knowledge to ensure that your organisation complies with the PDPA and develops processes to receive and respond to data-related complaints.‌‌‌‌

The officer you select does not have to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable using Singapore telephone numbers, and available during Singapore business hours.‌‌‌‌

If your business is facing manpower or capability constraints, consider outsourcing parts of the function to a service provider. Keep in mind that the officer’s function is the management's responsibility and that the outsourcing service should cover only the operational aspects of the officer’s function.

Looking for service providers to outsource your data protection roles? Here’s a list of an approved list of service providers.

  1. Secondly, register your officer.

‌‌Register and update your officer’s business contact via ACRA’s BizFile+ portal using your CorpPass accounts.

For Osome’s Incorporation clients, this is a service that we can assist you with. Find out more about our Incorporation services in Singapore. ‌‌‌‌

FAQs

What does a Data Protection Officer do?

The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the data protection rules.

Who can be the Data Protection Officer?

Anyone in your company can be a DPO. You can even appoint a team of staff to be the company’s DPO. Your DPO does not have to be a Singapore citizen or resident, but they should be contactable whenever a member of the public attempts to contact them. Having a Singapore number is good to have so you won’t scare them with high phone bills. If you have manpower constraints, you can outsource it to a third-party service provider.

Is a Data Protection Officer mandatory?

All businesses, big or small, need a Data Protection Officer (DPO). Someone who can develop and implement good policies and practices for handling personal data that meet your organisation's needs. Someone who can communicate the policies and practices clearly to employees and customers, and someone who can manage personal data-related queries or complaints.

In a nutshell, the appointed DPO should possess the appropriate expertise and knowledge to be able to ensure that the organisation complies with the PDPA and develop a process to receive and respond to complaints with respect to the application of the PDPA.

Is there any deadline for appointment of DPO?‌‌

There is no deadline to register your DPO. However, PDPC strongly encourages organisations to register their DPO as early as possible so that they can be kept abreast of relevant personal data protection developments in Singapore.‌‌

Do Dormant Companies need a DPO?‌‌

A company that is dormant and has no business operation need not register its DPO contact details with PDPC.

‌‌

Share this post:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it

Should You Consider Using Cryptocurrency in Your Business Operations?
Running My Business

Should You Consider Using Cryptocurrency in Your Business Operations?

There are more than 4,000 cryptocurrencies that exist. Before you jump on the bandwagon, assess whether cryptocurrencies are suitable to be used in your business.

7 Ways To Accept Payments For Your Online Store
E-commerce

7 Ways To Accept Payments For Your Online Store

Many payment options allow you to accept credit cards and other payment types. How do you choose which method to include on your website?

Customer Retention: How To Keep Customers Coming Back Repeatedly
E-commerce

Customer Retention: How To Keep Customers Coming Back Repeatedly

Every business likes new customers, especially when the customer uses their services again and again. Existing customers help in creating a solid foundation of your business that provides a steady revenue stream that costs less than acquiring new customers.

5 Tips for a Streamlined Payroll Process for SMEs
Payroll

5 Tips for a Streamlined Payroll Process for SMEs

For a business to run smoothly, the payroll process must be streamlined and error-free. It is easy to streamline and optimize your payroll and other back-office processes within your SMB. Did you know that this can improve your cash flow?

Phase 2 Heightened Alert Support Package for SMEs (July to August 2021)
Government Grant

Phase 2 Heightened Alert Support Package for SMEs (July to August 2021)

From 22 July 2021, Singapore has reverted to Phase 2 (Heightened Alert). Fortunately, the Singapore Government will be cushioning the impacts of the harsher COVID-19 restrictions with a $1.1 billion support package.

How To Offer Free Shipping Profitably
E-commerce

How To Offer Free Shipping Profitably

Should a customer or seller bear the shipping cost? Let’s explore how a profit margin can still be maintained while offering free shipping.

What Is a Register of Controllers and Why Singapore Companies Now Have To Submit This Document
Secretary

What Is a Register of Controllers and Why Singapore Companies Now Have To Submit This Document

In April 2020, Singapore businesses will have to submit the Register for Registrable Controllers to ACRA. Before, your company was only obliged to maintain it internally. Now you will have to file the Register with ACRA electronically and maintain it updated at all times.

SG Govt Will Extend Loans for SMEs by 6 Months as Part of Heightened Alert Support Measures
Government Grant

SG Govt Will Extend Loans for SMEs by 6 Months as Part of Heightened Alert Support Measures

Singapore's Phase 2 and 3 periods of heightened alert have undoubtedly affected many businesses, especially Small- and Medium-sized Enterprises (SMEs). As such, Finance Minister Lawrence Wong has announced additional support measures for these Singapore-registered companies on 5 Jul 2021.

Clickshare Media Ventures Scales Up E-commerce Operations With Osome as Accounting Partner
Customer Success

Clickshare Media Ventures Scales Up E-commerce Operations With Osome as Accounting Partner

Clickshare Media Ventures (CSMV) is one of the fastest-growing e-commerce companies in Southeast Asia. In just 3 years, CSMV has built itself to be an 8-figure business with more than 10 direct-to-consumer e-commerce brands in the baby, beauty, and personal care industries.

The 10 Best E-Commerce Payment Gateway for Online Sellers
E-commerce

The 10 Best E-Commerce Payment Gateway for Online Sellers

Other than branding and marketing, these technologically savvy consumers are well acquainted with the Internet and convenient payment gateways and demand nothing less than a seamless e-commerce transaction.

SMEs Can Apply for Relief Measures and Delay Full Loan Repayments till 30 Sep
Government Grant

SMEs Can Apply for Relief Measures and Delay Full Loan Repayments till 30 Sep

As the pandemic gradually transitions to an endemic, the Monetary Authority of Singapore (MAS) has announced the 'final extension' of relief measures for small and medium-sized enterprises (SMEs) affected by the COVID-19 situation to resume full loan repayments.

8 Tips to Improve Your E-commerce Photos
E-commerce

8 Tips to Improve Your E-commerce Photos

Want to kickstart your start-up or bolster an existing online business? These 8 e-commerce photography tips could have a direct impact on small businesses owners in Singapore, take a look.

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?