“A DPO who carries out his role well is an asset to his organization. He ensures compliance, yes, but he can do so much more.”
Such was the message from the keynote stage here at the IAPP Asia Privacy Forum in Singapore, where Personal Data Protection Commission Deputy Commissioner Yeong Zee Kin used his opening address to highly tout the role of the data protection officer and expound upon the many resources the PDPC offers up to make the DPO successful.
He noted the case of real estate firm CBRE, which was found to have mistakenly disposed of papers containing personal information in the trash.
“Our investigation found,” Yeong said, “that they had implemented reasonable data protection policies, had regular trainings, and had guidance on disposal of personal information. And they had communicated them through a code of conduct and through the employment handbook. So the PDPC decided that they were not in breach of the PDPA.
“This is the crucial role of the data protection officer.”
In fact, he said, there have been numerous cases where a DPO was able to demonstrate that their organization abided by the right practices and was accountable to customers for the care of their personal data.
An organization with a highly placed, professional DPO “may well avoid a finding that it has violated the PDPA, even though there was a data breach,” Yeong said.
Many of the PDPC’s enforcement actions are related, he said, to a lack of proper training, data protection policies and IT measures. But in those cases where the PDPC found that an organization has acted responsibly, no action was taken.
“The DPO must,” Yeong said, “put in place a training program so that everyone in the organization is aware of the proper practices and policy. He must help his colleagues and the organization internalize the need to adopt a culture of respect for their customers’ personal data. It’s not something the DPO can do once and check it off his list.”
Further, he said, the DPO “has to be involved in all the right conversations in the organization, providing the best data protection advice and contributing to the development of products and services. The DPO cannot and should not be a road block; he has to be a pathfinder and contribute positively and to help colleagues achieve the organization’s goals.”
Yeong said the PDPC knows well its responsibility to support the DPO, as well. “A DPO must be equipped with data protection know-how,” he said. “Training is essential.” That’s why the PDPC works to release guidance on topics like de-identification and conducts regular industry briefings and sector-specific trainings so that organizations know how the PDPA applies to their industries.
They’ve spoken to 67 different trade groups, reaching some 30,000 people since 2014. Their e-learning program has been viewed by 20,000 visitors. And their two-day PDPA fundamentals course has been taken by more than 5,000 attendees.
However, the PDPC is now working with the IAPP, he noted, to develop an advanced training course for Singapore's market “to equip DPOs beyond the basics of the PDPA.”
This, combined with regular networking opportunities, Yeong said, “will help nurture the pool and quality of DPOs in Singapore … They need the opportunity and forums to support each other, to discuss challenges and opportunities. We all know how challenging the task is.”
If you want to comment on this post, you need to login.