Data Protection Officer – Do you know what you are getting into?

Data Protection Officer – Do you know what you are getting into?

The implementation of data privacy protection laws in various countries have given rise to a new job role: Data Protection Officer (DPO for short). In some countries, such as Singapore and the Philippines, it is mandatory by law that businesses must appoint a DPO. While in other jurisdictions, such as European Union and Malaysia, the law did not explicitly require the appointing of a DPO. Alhough in practice, organisations found that it is not practicable to comply with data privacy protection act without someone (or a team) taking on such role and responsibility.

What does a Data Protection Officer (DPO) do?

Briefly, A DPO needs to

  • Ensure the organization comply with the data protection act
  • Assess and monitor the risks that might arise related to personal data
  • Develop and implement a data protection management program
  • Help nurture a data protection awareness and culture within the organisation
  • Liaise with the authority on data protection matters

In addition, the DPO will play a key role in data breach cases (is it a breach? Should we report to the authority within 72 hours? And so on) and the recovery process.

As this is a relatively new area, there is a huge shortage of qualified DPO in the industry. In most organisations, DPO is an added responsibility, usually to the HR, IT, or legal officer. Most appointees do not know their roles and responsibilities. Worst still, their accountability.

To What Extent Is DPO Accountable?

That depends.

For example, in the Philippines, DPO could face criminal liability (ie. jail terms) if “… malfeasance, misfeasance, or nonfeasance on the part of the DPO or COP relative to his designated functions may still be a ground for administrative, civil, or criminal liability, in accordance with all applicable laws.” (NPC Advisory No. 2017-01 – Designation of Data Protection Officers). On the other hand, DPOs in Singapore are “safe” as they are not accountable under the PDPA. There is no jail terms, only fines for the company.

So, what if you hold a regional DPO role responsible for data protection in the countries, say ASEAN, that your company operate in? Do you know your role and responsibility? More importantly, your accountability?

Watch this space. More of this in upcoming blog. We are here to help.

(terms: DPO, PDPA, GDPR, Singapore, Philippines)