A Data Protection Officer (DPO) is someone all businesses in Singapore, no matter how big or small, have to have. Fail to do so, and risk being slapped with hefty fines. That's the way the Singapore government enforces laws around data privacy under the Personal Data Protection Act (PDPA).
All this sounds like extra work for entrepreneurs. At this point if you need to quickly talk to a human about your question on registering this Data Protection Officer, our professional company secretaries will assist you, just drop us a chat. You might have questions on who should be a Data Protection Officer and how you go about appointing one for your company. This article will answer your questions so that your businesses stay compliant, avoid fines, and you save some money.
The Role of the Data Protection Officer
Data protection officer (DPO) ensures your company processes personal data in compliance with the data protection rules. That includes personal data of your staff, customers, providers or any other individuals you deal with.
At the top of the list, these are a few of an officer’s responsibilities:
1. Makes sure that your current practices conform with the PDPA. An officer does this by auditing the storing and usage of data in the company, both on paper (hard copy) or electronically (soft copy).
2. Handles questions and complaints from employees or customers related to data protection in your company.
3. Advocates the importance of data privacy within your company
4. Alerts you and your other management team should they spot any risks
5. Liaises with the Personal Data Protection Commission (PDPC), Singapore's primary data protection authority, and gets updates to any changes on data protection matters and further training.
Types of Complaints your Data Protection Officer would Deal with
As companies are collecting and managing even more data, there will be more reports and complaints on how companies manage it. These complaints are just some of what your officer would face.
1. A competitor reporting on your subpar data protection practices or even a failure to appoint a DPO.
What? Is it that easy for someone to tell if you don’t have a Data Protection Officer?
Yes, it is hardly mission impossible. One only needs to go to ACRA BizFile+ and search for your company name or UEN number without any login needed. This information is publicly available.
First, search the ACRA Register for the company name. Try searching for Osome.
You can then find a field titled: Data Protection Officer(s).
Click ‘here’ to get the information on our own Data Protection Officer.
2. Complaints by individuals who are not satisfied with how your business is processing their personal data
Tinky Snaps set up a booth at an event to market their photo booth services. They took photos of their staff working at the company’s booth and uploaded the photos on Facebook. A member of the public saw their photo on the album which has been taken without their permission. They requested for the photo to be taken down.
3. Accidental disclosure of personal data
Vivito Printing has a file on their clients’ account holder’s names, emails, office phone numbers, and office addresses. Being a printing company, they sent the data of their account holders to be printed in letters by mistake. The letters were then mistakenly mailed out to other account holders. Whoops. This could have been avoided if they had better data protection practices.
4. Unauthorized disclosure of personal data due to data breaches
Restaurant Ho-kiddo Ramen’s payroll software application lets employees view their electronic payslips and allows supervisors to confirm attendance of their staff. It also contains the contact number and addresses of their staff. The software was hosted on a server without firewall protection installed, and left the company's systems open to a ransomware attack.
Does My Singapore Company Really Need to Appoint a Data Protection Officer?
Absolutely yes, or expect to pay up. In 2017, a tuition agency Championtutor was fined $5,000 for failing to appoint a data protection officer.
Should a member of the public complain against your company to the PDPC, your Data Officer would be the main point of contact with the PDPC while you manage your business growth. Your Data Officer would review your company’s policies in the first place to prevent such complaints from happening, and save your company money from hefty fines. Horizon Fast Ferry which provides ferry services between Singapore and Batam was fined $54,000 in 2019 for simply failing to appoint a data protection officer, and put in place arrangements to protect their employees’ and customers’ data. A breach had not occurred yet. This is how serious the Singapore authorities take data protection.
So now, how do I appoint a Data Protection Officer?
- First, decide who will be your officer.
Will the officer be someone within your business or a team of people? You don’t need to hire someone specifically for the position. It can be an added responsibility for one of your employees. Whichever option you choose, the person needs to understand your IT processes. They should also have the right knowledge to ensure that your organisation complies with the PDPA and develops processes to receive and respond to data-related complaints.
The officer you select does not have to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable using Singapore telephone numbers, and available during Singapore business hours.
If your business is facing manpower or capability constraints, consider outsourcing parts of the function to a service provider. Keep in mind that the officer’s function is the management's responsibility and that the outsourcing service should cover only the operational aspects of the officer’s function.
Looking for service providers to outsource your data protection roles? Here’s a list of an approved list of service providers.
- Secondly, register your officer.
Register and update your officer’s business contact via ACRA’s BizFile+ portal using your CorpPass accounts.
For Osome’s Incorporation clients, this is a service that we can assist you with. Find out more about our Incorporation services in Singapore.
What does a Data Protection Officer do?
The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the data protection rules.
Who can be the Data Protection Officer?
Anyone in your company can be a DPO. You can even appoint a team of staff to be the company’s DPO. Your DPO does not have to be a Singapore citizen or resident, but they should be contactable whenever a member of the public attempts to contact them. Having a Singapore number is good to have so you won’t scare them with high phone bills. If you have manpower constraints, you can outsource it to a third-party service provider.
Is a Data Protection Officer mandatory?
All businesses, big or small, need a Data Protection Officer (DPO). Someone who can develop and implement good policies and practices for handling personal data that meet your organisation's needs. Someone who can communicate the policies and practices clearly to employees and customers, and someone who can manage personal data-related queries or complaints.
In a nutshell, the appointed DPO should possess the appropriate expertise and knowledge to be able to ensure that the organisation complies with the PDPA and develop a process to receive and respond to complaints with respect to the application of the PDPA.
Is there any deadline for appointment of DPO?
There is no deadline to register your DPO. However, PDPC strongly encourages organisations to register their DPO as early as possible so that they can be kept abreast of relevant personal data protection developments in Singapore.
Do Dormant Companies need a DPO?
A company that is dormant and has no business operation need not register its DPO contact details with PDPC.