Singapore is currently in need of data protection officers, and the demand for qualified candidates to fill those roles will only go up. Straits Interactive conducted a DPO survey similar to one the IAPP did back in 2016. They predict Singapore will need at least 10,000 DPOs within the next three to five years as countries around it produce their own data protection rules.

In order to help fill this need, Straits Interactive, Singapore’s Personal Data Protection Commission, Workforce Singapore, SkillsFuture Singapore and Singapore Management University have teamed up to launch the Professional Conversion Programme for Data Protection Officers.

The program is designed to match businesses in need of a DPO with candidates looking to break into the data protection industry.

“In Singapore and the Philippines, it is mandatory by law to hire a data protection officer,” said Straits Interactive Founder and CEO Kevin Shepherdson, CIPP/A, CIPP/E, CIPM, CIPT, FIP. “There are very few skilled data protection officers in the market. In our part of the world, Southeast Asia is going to be one of the hottest jurisdictions for data protection law given that almost the entire region is new to data protection.”

The groups work to match companies with a DPO candidate that best suits their needs.  Organizations will supply the groups with criteria of what they are looking for in a candidate. While Singapore’s Personal Data Protection Act does require entities to hire a DPO, the person in the position does not need be a dedicated privacy professional. The DPO can also function in another role within the organization. Companies applying to the program can specify whether their hire’s primary role will be as DPO, or if their primary responsibilities will fall in a different department. Shepherdson said the DPO program is primarily meant to help small- and medium-sized enterprises that do not have the resources to hire a standalone DPO.

“We will look at the primary role for the candidate, such as an HR role or a management role. Once we are set, then we advise the companies. If they do not know what a DPO is, we will help them,” said Straits Interactive Learning and Development Manager King Yong Ng. “We will do some profiling on the candidates so we can hope we can not just match the companies’ requirements in terms of the job, but also the culture as well.”

As for those candidates, the program has a set list of credentials in order to be considered. The program is aimed toward individuals over the age of 40, or who are currently unemployed and wish to kickoff their DPO career. The program is also open to DPOs who are on their first three months on the job and wish to further develop their skills. Shepherdson stressed positions that fall under the program must include references to data privacy and data protection either in the title or in the job description.

Should a company hire someone under the aforementioned criteria, the Singapore government will fund 90 percent of their monthly salary up to SG$6,000 for six months. The Singapore government will fund 70 percent of the salary for candidates under the age of 40, topped off at SG$4,000.

Shepherdson said the incoming candidates will likely have little to no experience in data protection. Once hired, the candidate will spend six months learning the ins and outs of DPO work on-the-job. During those six months, the DPO will have to take 12 days to complete the Advanced Certificate in Data Protection Operational Excellence. 

The five modules for certificate include Advanced Techniques and Application for Data Protection by Design, Data Protection Impact Assessment, Data Protection and Privacy Programme Management, Information & Cyber Security for Managers, A Practical Approach for Data Protection for DPOs and Data Protection Trends & the Rise of the DPO.

Each module takes about two to three days to complete. For instance, a candidate will need three days to complete the Advanced Techniques module, while the Rise of the DPO module will only take two. The candidates will complete these modules in-person at the SMU Academy.

Candidates will have the ability to choose whether they would also like to take an IAPP CIPM exam test after completing the modules. If a candidate wishes to do so, the Data Protection and Privacy Programme Management module will be mapped to the IAPP exam's syllabus. The Advanced Techniques module also prepares DPOs to obtain a Data Protection Trustmark, which the Singapore government will start to administer at the end of the year.

The PDPC first announced the program back in July, and since then, the program has seen 30 candidates come through. Shepherdson said the PDPC sent a notice to 20,000 companies informing them about the program, and the groups plan to launch an executive DPO service by the end of the year by partnering with executive search firms to find any companies in need of a DPO that wish to join the program.

Shepherdson acknowledges adoption of the program may be slow for some companies as they continue to learn about Singapore’s data protection law and others that will continue to proliferate around Southeast Asia. As the need for DPOs continues to grow, Shepherdson believes the program will be the best resource to help burgeoning privacy professionals get the skills they need to succeed.

“You are not just attending a course. This is an on-the-job training, and whatever you do, the courses will help you achieve what you want to do for your company, and we will be working with your company, as opposed to a standalone workshop where you go in with no one guiding you,” said Shepherdson. “We will market the potential of the rise of the DPO, because the demands for the DPO skills is going to go up. Data protection will be the new business culture.”