The laws around personal data mean privacy and protection are important to any business collecting and storing customer and employee data. The role of the Data Protection Officer (DPO) is to ensure the business meets all the requirements of safeguarding data. By understanding the role of the DPO, you can ensure your business is compliant.
How is this relevant to small business?
Since the EU’s introduction of the General Data Protection Regulation (GDPR) in May, any company worldwide which provides goods or services, or monitors the behaviour of EU users needs to comply with the law. Appointing a DPO is one such requirement. Many Singapore SMEs fit this bill. But even for those that haven’t internationalised, the appointment of a DPO is necessary to comply with Singapore’s Personal Data Protection Act (PDPA).
What if there aren’t enough resources for a DPO?
No matter the size, every organisation is required by law to appoint at least one person as their DPO, either an existing employee or a third party. Failure to do so risks a fine of up to $1 million under the Act. Penalties under the GDPR can be even higher.
You don’t need to hire someone specifically for the position as appointing someone within your business will suffice. Outsourcing the position is also an option. Whatever you choose, make sure it's someone who understands your IT processes.
What are the role’s main responsibilities?
The DPO’s top priority is ensuring compliance with the PDPA. A good starting point is to audit current company practices and policies around data collection – both hard copy and electronically – to see how they align with the Act.
Beyond this, DPOs also need to handle queries and complaints relating to data protection, encourage a widespread culture of data security, foresee and act on any possible risks in the management of personal data, liaise with the Personal Data Protection Commission if required, and much more.
For DPO's starting out subscribing to the Commission's newsletter, DPO Connect, is a good start. They will help you stay abreast of any changes to data protection related matters, provide information on where to get assistance and get updates on upcoming events by PDPC.
Once appointed, how do we support them in their role?
Given the varied and complex responsibilities of a DPO, companies can help them fulfil their duties by:
- Providing opportunities for professional learning through Commission-run courses
- Support the DPO's efforts with relevant staff across the business to conduct a risk assessment of current data management practices including how data is stored, who has access to it, and how and when data is destroyed when no longer needed
- Proactively protecting company data through the use of trusted cybersecurity solutions
- Implementing a data-compliant tool, such as Office 365, that uses defence-in-depth approach to provide physical, logical, and data layers of security features and operational best practices.
Ultimately, protecting personal data is an obligation that all SMEs must now meet. The appointment of an informed and diligent DPO, combined with the right digital solutions, can identify data gaps, minimise risk and help meet compliance for companies big or small.
This article was first published on Singtel MyBusiness. Information is correct at the time of publication.