← Back to Insights

Singapore Personal Data Protection Act 2012: Data Protection Officer roles and compliance

07 November 2024

Under the Singapore Personal Data Protection Act 2012 (“PDPA”), it is mandatory for organisations, including sole proprietorships, to appoint a Data Protection Officer (“DPO”) to oversee compliance with data protection laws. The DPO’s responsibilities include ensuring the protection of personal data, addressing queries, and promoting data security practices. Organisations that fail to appoint a DPO may face regulatory penalties.

In compliance with the Personal Data Protection Act 2012 (“PDPA”), it is mandatory by law for organisations, including sole proprietorships, to appoint at least one person as Data Protection Officer (“DPO”) responsible for ensuring compliance with the PDPA.

The DPO’s business contact information must be publicly available and may include a general telephone number or email address.

Organisations facing manpower constraints may outsource operational aspects of the DPO function to a service provider. However, compliance with the PDPA remains the responsibility of the organisation.

Responsibilities of the DPO

The responsibilities of a DPO include, but are not limited to:

  • Ensuring compliance with the PDPA when developing and implementing policies and processes for handling personal data
  • Promoting the importance of data protection and security practices and communicating personal data protection and security policies to all staff
  • Handling access and correction requests to personal data, and managing related queries and complaints
  • Alerting owners/partners to any risks that may arise regarding personal data
  • Establishing and reviewing DP risk framework and monitoring measures to evaluate effectiveness

Who can be appointed as a DPO

The DPO function may be a dedicated responsibility or added to an existing role in the organisation; for example, a partner or owner can be the DPO. The appointed DPO may also delegate certain responsibilities to other officers. Organisations with manpower constraints may outsource operational aspects of the DPO function to a service provider.

The PDPA does not prescribe the nationality of a DPO or where they should be based. Additionally, the DPO need not be an employee of the organisation.

However, the DPO whose business contact information is provided must be reachable whenever a member of the public in Singapore attempts to contact them, to be compliant with PDPA requirements. For clarity, it is not mandatory to use a Singapore telephone number, though you are strongly encouraged to do so to ease communication.

What happens if I do not appoint a DPO

The PDPC may take action against organisations that cannot demonstrate compliance with the PDPA requirement to appoint a DPO, including making the DPO’s business contact information available to the public. The specific enforcement action(s) taken by the PDPC for an organisation’s failure to appoint a DPO will depend on the circumstances of the data breach incident, the organisation’s non-compliance with the PDPA, and its response to rectify the situation. Enforcement outcomes could comprise warnings, directions, or financial penalties. Therefore, it is crucial for organisations to comply with the requirement to appoint a DPO, as mandated by the PDPA, and to ensure proper data protection governance.

It is important to ensure that the DPO information is accurate and up-to-date, as this information will be publicly available and used by individuals to contact your DPO regarding data protection matters.

Apex Compliance Solutions

Apex Compliance Solutions offers two options for compliance solutions with the PDPA.

Option 1 – Outsourcing of DPO

When the DPO is appointed in-house, Apex Compliance Solutions will assist in ensuring that the organisation complies with the PDPC through the following services:

  • Registration of the DPO with ACRA BizFile or the PDPC
  • Assistance in preparing the organisation’s personal data assets and account inventory
  • Review of data protection and security policies
  • Assistance in developing an incident response and data breach management plan
  • Ensuring all employees in the organisation have completed training
  • Conducting regular reviews of the DP framework

Option 2 – Appointment of DPO supplementary

  • All services as per option 1
  • An individual who can be registered as the DPO on behalf of the organisation

Stay informed with the latest updates

We encourage you to keep up to date with our global regulatory tracker. Cut though the complexity and stay up to date with our interactive hub, where you can quickly and easily track the regulatory and compliance updates that matter to you.

References

Infocomm Media Development Authority (n.d.) Data Protection Essentials (DPE) Programme. Available at: https://www.imda.gov.sg/how-we-can-help/data-protection-essentials

Personal Data Protection Commission Singapore (n.d.) PDPC | PDPA Overview. Available at: https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act

Singapore Statutes Online (2012) Personal Data Protection Act 2012. Available at: https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=P13-#

Get in touch with our team

Contact Us