What HR professional should know about hiring a DPO (such as qualities to look out for), or when appointing one of your staff for data protection training.
Digital transformation has equipped companies with new capabilities, enabling them to operate better, faster, and more cost-efficiently. However, the risks that come with digital transformation also require organisations to build good personal data practices into their day-to-day operations.
Without sound policies, processes and procedures relating to personal data, an organisation’s digital transformation efforts may backfire – causing more harm than good. Hence, the growing global need for data protection officers (DPOs).
DPOs ensure that organisations comply with data protection regulations and that risks in handling data are sufficiently managed. As an HR professional, what qualities would you look out for in hiring a DPO, or designating a staff member for data protection training?
Does your organisation need a DPO?
More ASEAN countries have been introducing and enforcing their data protection laws in recent years. Singapore and the Philippines, among the early adopters of data protection regulation in the region, have been ramping up on enforcement.
Thailand’s own Personal Data Protection Act (PDPA) came into full force on 1 June 2022, while data protection laws for Indonesia, Brunei and Vietnam are also on the horizon. China’s Personal Information Protection Law (PIPL), a highly influential law for this region, has also been effective since November 2021.
These compliance laws require organisations to demonstrate accountability, not just on paper but as evidenced by their day-to-day operations. This further spurs the demand for DPOs as organisations are coming under increasing pressure to comply with relevant laws, and to maintain consumer confidence.
An organisation’s accountability spans the entire lifecycle of personal data in an organisation – beginning with its collection, followed by its usage and storage, and finally its disclosure or transfer. There are risks associated with each stage in the information lifecycle that need to be identified and addressed.
For instance, improper storage of personal data, such as information provided by customers through an online form, may increase the risk of unauthorised access. Without a DPO, these points of vulnerability often go unnoticed, until a data breach occurs.
What does a DPO do?
The main responsibility of the DPO is to administer the data protection management programme that governs how personal data is being collected, used, disclosed or stored within an organisation, according to the requirements of relevant data protection laws.
The DPO must work with all departments to implement controls so that gaps and vulnerabilities in personal data processing are addressed and rectified. DPOs also work with department heads to ensure that staff are aware of the organisation’s privacy policy, and are adequately trained in data protection best practices.
The following infographic summarises the basic responsibilities of a DPO. In our experience in consulting with more than 600 companies, however, the DPO’s responsibilities often extend beyond these.
Large organisations often appoint an individual to take on the DPO role as their full-time job. Companies that handle large amounts of personal data may need several data protection professionals to achieve operational compliance. In smaller organisations, however, it’s more common to see double-hatting, wherein the responsibilities of a DPO are added to another job role.
Whatever the case may be, it is important that the DPO has the right skills and is fully equipped to do the job. The organisation should take time to assess its needs before appointing a person suitable for the role of a DPO.
What skill sets must DPOs possess?
DPOs may need to wear several hats when performing their roles - compliance, project and risk manager, trainer, counsellor and investigator. They would also need to be able to communicate and liaise with senior management.
Hence, the role requires a more experienced person who is familiar with the various business lines. In fact, PDPA guidelines recommend the DPO to be of a fairly senior level (from middle to senior management), so as to effectively direct and oversee data protection initiatives.
The risks associated with processing personal data are also often enterprise and industry-specific. Thus, it would be beneficial if the DPO is familiar with the industry in which the organisation is part of.
Some soft skills which are desirable in a DPO include:
- Demonstrated leadership skills in achieving stated objectives and managing varied projects
- Demonstrated negotiation skills to interface successfully with regulators, customers, and internal clients
- Relationship management skills to coordinate with departments of the organisation and externally with vendors handling personal data (processors)
- Ability to communicate with a wide-ranging audience, from the board of directors to individuals (data subjects), from managers to IT staff and lawyers
- A self-starter with the ability to gain the required knowledge in dynamic environments
- Ability to deal with different business cultures and industries
As data protection is new, it would be difficult to find an “experienced” candidate in this field. A possible “hack” is to find those who have gone through specialised data protection training.
It would also be beneficial to support the DPO with data protection experts and consultants who can help guide the DPO as he/she operationalises data privacy in the organisation.
What qualifications are required of a DPO?
A DPO need not be a trained legal professional. What they must have is sufficient data protection knowledge to be able to translate the legal requirements into operational compliance – which involves crafting and implementing the right policies, processes, and procedures.
A DPO also need not be an IT personnel. However, understanding of information systems and appreciation of information security would be helpful. Familiarity with information systems auditing, attestation audits, and the assessment and mitigation of risk would also be beneficial.
First of all, a DPO must have an understanding of the data protection law that is relevant to your organisation (Singapore Personal Data Protection Act, Philippine Data Privacy Act, European GDPR). Most of the time, this is the law corresponding to the jurisdiction in which your organisation operates.
Courses such as the Hands-on Data Protection Officer Course (Singapore, Philippines, Malaysia) by the Data Protection (DPEX) Excellence Network, powered by Straits Interactive, help provide a good foundation for DPOs.
These courses cover not only the “what” of the local data protection law but also the “how” to comply as well, which is not often addressed by many such courses. The course provided by the DPEX Network offers a Certificate of Proficiency in Data Protection and GRC (Governance, Risk Management and Compliance) awarded by OCEG, the organisation from which GRC originated.
DPOs can then proceed to further their knowledge in operationalising data privacy. There are several certifications to choose from, such as the International Association of Privacy Professionals’ CIPM and CIPT certifications, and ISO certifications on Information Security Management Systems (27001) and Privacy Information Management Systems (27701).
Academic routes for DPOs who require a larger skill set in data protection practices are also available, such as the Asian Institute of Management’s Postgraduate Certificate in Data Protection Operational Excellence, and Singapore Management University’s Advanced Diploma in Data Protection.
The DPEX Network has summarised the various routes DPOs can take to gain data protection competencies through this roadmap (Singapore only).
How can a DPO pursue continuous learning?
Though some companies are still scrambling to implement data protection in their organisations, the rapid pace of digital transformation is already leading organisations to shift from data protection to data governance.
While data protection is about decreasing risks in handling personal data, data governance takes a broader view on decreasing risk and increasing the value of data, to enable the organisation to better achieve its business goals. While data protection focuses mainly on risk management, data governance focuses on value creation and innovation.
In today’s data-driven world, data is a highly-valued asset. Data protection professionals are thus seeking continuous learning to gain competencies in data governance, to enable their organisations to make the most of emerging opportunities and gain an edge in the highly competitive business environment.
Can the duties of the DPO be outsourced?
Organisations should be mindful that while the role of the DPO can be outsourced, the responsibility and accountability to their stakeholders still lie with the organisation.
Whilst many jurisdictions allow for the outsourcing of DPO, the third-party service should be seen as supplementary. There are inherent benefits of employing a DPO as he or she has specific organisation and industry knowledge, as well as networking relationships.
As more countries around the world begin to adopt data protection regulations, demand for DPOs is currently exceeding supply. In order to maintain consumer trust, and to do right by their data, organisations, and the hiring managers and recruiters they employ, need to better understand the key skills and competencies they are looking out for.
SMU Academy is proud to partner with Straits Interactive to provide the most comprehensive adult learning and professional development programmes for data protection officers and professionals in Singapore.
Straits Interactive delivers end-to-end governance, risk, and compliance solutions that enable businesses to achieve operational compliance and manage risks in the area of data protection and data governance, through a combination of cloud technology and professional services.
The Data Protection Excellence (DPEX) Network is ASEAN’s largest community of data protection professionals, and is home to internationally-certified data protection consultants. It provides hands-on training and professional certification courses for those who are new to data protection, as well as various resources on best practices and cutting-edge research in the data privacy landscape.
Psst, if you are looking for more data protection resources, check out our latest info session on the Changing Face of Data Protection here.