• Hong Kong
  • UK
  1. Osome Blog Singapore
  2. All You Need to Know About Appointing a Data Protection Officer For Your Company

All You Need to Know About Appointing a Data Protection Officer For Your Company

A Data Protection Officer (DPO) is someone all businesses in Singapore, no matter how big or small, have to have. Fail to do so, and risk being slapped with hefty fines. That's the way the Singapore government enforces laws around data privacy under the Personal Data Protection Act (PDPA).

All this sounds like extra work for entrepreneurs. At this point if you need to quickly talk to a human about your question on registering this Data Protection Officer, our professional company secretaries will assist you, just drop us a chat. You might have questions on who should be a Data Protection Officer and how you go about appointing one for your company. This article will answer your questions so that your businesses stay compliant, avoid fines, and you save some money.

The Role of the Data Protection Officer

Data protection officer (DPO) ensures your company processes personal data in compliance with the data protection rules. That includes personal data of your staff, customers, providers or any other individuals you deal with.

‌‌‌‌At the top of the list, these are a few of an officer’s responsibilities:‌‌‌‌

1. Makes sure that your current practices conform with the PDPA. An officer does this by auditing the storing and usage of data in the company, both on paper (hard copy) or electronically (soft copy). ‌‌‌‌

2. Handles questions and complaints from employees or customers related to data protection in your company.

3. Advocates the importance of data privacy within your company‌‌‌‌

4. Alerts you and your other management team should they spot any risks

‌‌‌‌5. Liaises with the Personal Data Protection Commission (PDPC), Singapore's primary data protection authority, and gets updates to any changes on data protection matters and further training. ‌

‌Types of Complaints your Data Protection Officer would Deal with

As companies are collecting and managing even more data, there will be more reports and complaints on how companies manage it. These complaints are just some of what your officer would face.

1. A competitor reporting on your subpar data protection practices or even a failure to appoint a DPO.

What? Is it that easy for someone to tell if you don’t have a Data Protection Officer?

Yes, it is hardly mission impossible. One only needs to go to ACRA BizFile+ and search for your company name or UEN number without any login needed. This information is publicly available.

First, search the ACRA Register for the company name. Try searching for Osome.

How to find information on Data Protection Officer on Acra - Search the company

You can then find a field titled: Data Protection Officer(s).

How to find information on Data Protection Officer on Acra - Find the correct company

Click ‘here’ to get the information on our own Data Protection Officer. ‌‌‌‌‌‌

Search for information on Data Protection Officer on ACRA

Simple, right?

2. Complaints by individuals who are not satisfied with how your business is processing their personal data

Tinky Snaps set up a booth at an event to market their photo booth services. They took photos of their staff working at the company’s booth and uploaded the photos on Facebook. A member of the public saw their photo on the album which has been taken without their permission. They requested for the photo to be taken down.

3. Accidental disclosure of personal data

Vivito Printing has a file on their clients’ account holder’s names, emails, office phone numbers, and office addresses. Being a printing company, they sent the data of their account holders to be printed in letters by mistake. The letters were then mistakenly mailed out to other account holders. Whoops. This could have been avoided if they had better data protection practices.

4. Unauthorized disclosure of personal data due to data breaches

Restaurant Ho-kiddo Ramen’s payroll software application lets employees view their electronic payslips and allows supervisors to confirm attendance of their staff. It also contains the contact number and addresses of their staff. The software was hosted on a server without firewall protection installed, and left the company's systems open to a ransomware attack.

Does My Singapore Company Really Need to Appoint a Data Protection Officer?

Absolutely yes, or expect to pay up. In 2017, a tuition agency Championtutor was fined $5,000 for failing to appoint a data protection officer.

Should a member of the public complain against your company to the PDPC, your Data Officer would be the main point of contact with the PDPC while you manage your business growth. ‌‌‌‌Your Data Officer would review your company’s policies in the first place to prevent such complaints from happening, and save your company money from hefty fines. Horizon Fast Ferry which provides ferry services between Singapore and Batam was fined $54,000 in 2019 for simply failing to appoint a data protection officer, and put in place arrangements to protect their employees’ and customers’ data. A breach had not occurred yet. This is how serious the Singapore authorities take data protection. ‌‌‌‌

So now, how do I appoint a Data Protection Officer?

  1. First, decide who will be your officer.‌‌‌‌

Will the officer be someone within your business or a team of people? You don’t need to hire someone specifically for the position. It can be an added responsibility for one of your employees. Whichever option you choose, the person needs to understand your IT processes. They should also have the right knowledge to ensure that your organisation complies with the PDPA and develops processes to receive and respond to data-related complaints.‌‌‌‌

The officer you select does not have to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable using Singapore telephone numbers, and available during Singapore business hours.‌‌‌‌

If your business is facing manpower or capability constraints, consider outsourcing parts of the function to a service provider. Keep in mind that the officer’s function is the management's responsibility and that the outsourcing service should cover only the operational aspects of the officer’s function.

Looking for service providers to outsource your data protection roles? Here’s a list of an approved list of service providers.

  1. Secondly, register your officer.

‌‌Register and update your officer’s business contact via ACRA’s BizFile+ portal using your CorpPass accounts.

For Osome’s Incorporation clients, this is a service that we can assist you with. Find out more about our Incorporation services in Singapore. ‌‌‌‌


What does a Data Protection Officer do?

The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the data protection rules.

Who can be the Data Protection Officer?

Anyone in your company can be a DPO. You can even appoint a team of staff to be the company’s DPO. Your DPO does not have to be a Singapore citizen or resident, but they should be contactable whenever a member of the public attempts to contact them. Having a Singapore number is good to have so you won’t scare them with high phone bills. If you have manpower constraints, you can outsource it to a third-party service provider.

Is a Data Protection Officer mandatory?

All businesses, big or small, need a Data Protection Officer (DPO). Someone who can develop and implement good policies and practices for handling personal data that meet your organisation's needs. Someone who can communicate the policies and practices clearly to employees and customers, and someone who can manage personal data-related queries or complaints.

In a nutshell, the appointed DPO should possess the appropriate expertise and knowledge to be able to ensure that the organisation complies with the PDPA and develop a process to receive and respond to complaints with respect to the application of the PDPA.

Is there any deadline for appointment of DPO?‌‌

There is no deadline to register your DPO. However, PDPC strongly encourages organisations to register their DPO as early as possible so that they can be kept abreast of relevant personal data protection developments in Singapore.‌‌

Do Dormant Companies need a DPO?‌‌

A company that is dormant and has no business operation need not register its DPO contact details with PDPC.


Share this post:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it

Government Grant

Wage Support & Rental Relief for Businesses in Singapore’s Stabilisation Phase

Tighter COVID-19 restrictions will be implemented from 27 September to 21 November 2021. Find out what support SG companies can receive from this Stabilisation Phase.


A Design Guide for E-commerce Websites

If you’re looking to improve your e-commerce page and improve sales, you might want to learn the fundamentals of how to design a good website.

Entrepreneur's Bootcamp

Best Practice Invoicing Tips for SMEs

This article will help Singapore-based SMEs get to grips with the best invoicing practices. Take a look at the tips and how-tos to guide you toward being more streamlined and savvy.


Which Is The Better Payment Gateway: Paypal or Stripe?

As an e-commerce business owner, you would have heard of payment gateways PayPal and Stripe. With these two big platforms being the most popular online payment gateways, you may face a dilemma when it comes to deciding which payment gateway to use.


Tips For Amazon Sellers To Manage Your Inventory Better

Brand owners and sellers of all scales struggle to seek a well-balanced supply chain. Additionally, Amazon has its own inventory management rules, which makes everything even tougher.


Top 10 Best E-commerce Hosting Services in 2021

When you are setting up your e-commerce shop, the right hosting provider can make all the difference. However, with a variety of options out there, choosing the best one can be confusing.


What You Need To Include In An Invoice for E-commerce

For business owners who own and run an online store, you probably already know that invoices must be sent to your customers for the services you provide or the goods you sell, as a form of purchase proof.


Guide to E-commerce Fulfillment & Shipping for Singapore E-commerce Sellers

E-commerce fulfilment and shipping for your Singapore-based business matters. This guide unpacks how the right strategy can influence your bottom line and help you find what’ll work best for you - whether it’s in-house fulfilment, dropshipping or a solid partnership with a 3PL.


E-commerce Tips: How To Use Packaging Inserts to Increase Revenue

Improving customer retention is one of the effective ways to create brand awareness. Additionally, placing your focus on existing customers also means that you do not have to splurge extra dollars on marketing.

Entrepreneur's Bootcamp

The Cost of Living as a Foreign Business Owner in Singapore

When choosing Singapore as a base to run your business is the cost of living, you need to consider the cost of living.


5 Most Lucrative E-Commerce Niches In 2021

If you’re just starting or looking to go in a new direction, finding a lucrative niche will make every part of running your e-commerce business easier. This article will look at the trending e-commerce niches to consider.

Entrepreneur's Bootcamp

How To Pick the Right Company Name

Choosing a business name is not that simple, and you may wreck your brains over choosing one, only to find out that ACRA did not approve its registration.

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?