In July 2020, the Personal Data Protection Commission (PDPC) has mass sent an email notification informing relevant business entities to register and appoint a Data Protection Officer (DPO) on ACRA’s BizFile. This article is written to explain the actions to take, as well as to cover the most commonly asked questions pertaining to the DPO appointment.
What is a DPO (Data Protection Officer)?
A DPO is essentially either an appointed individual, or team of individuals who would be responsible in the overseeing of the data protection responsibilities within the organisation and ensure compliance with the PDPA.
The business contact information (BCI) of the DPO must be made publicly available, and the DPO must be able to be reached at the provided BCI. The business contact information may be a general telephone or email address of the organisation.
Must I appoint a DPO?
Every organization and entity which includes Sole Proprietorships must appoint at least 1 DPO, with his/her BCI made publicly available.
This is a requirement under the PDPA. Failure to appoint a DPO may lead to a preliminary investigation by the PDPC. If an organization or an individual fails to cooperate with the investigation, this will constitute an offence, which may result fines or even jail imprisonment.
Who can be appointed as a DPO?
The appointment if an DPO is relatively flexible. There are no minimum age requirement, does not have to be an employee of the company, and does not have have to based in Singapore too. Once a DPO has been appointed, he/she would also be able to delegate certain responsibilities to other officers.
Roles of a DPO can also be outsourced to various data protection service providers.
The main requirement of a DPO is to ensure that the DPO’s Business Contact Information (BCI) is made public, and is contactable at the provided BCI. In addition, the appointed DPO must be aware, educated, and well informed on the roles and responsibilities.
However, the organization must take note that the compliance with PDPA remains the responsibility of the organization despite already having appointed a data protection officer.
It is not uncommon for most small businesses to appoint their director, also as a DPO – so long as the roles and responsibilities of the appointment are well understood.
What are the roles and responsibilities of a DPO?
The full information on the responsibilities of a DPO can be found on PDPC’s website.
Essentially, the DPO is in-charge developing and implementing policies and processes of handling personal data. This mainly relates to the consent of collection, usage, disclosure, as well as safe-keeping of customer’s personal information.
Customer’s personal information includes but are not limited to NRIC numbers, contact number, and email addresses. In addition, the DPO must also be able to attend to queries and complaints relating to the management of the organization’s personal data protection.
How do I appoint a DPO
Fortunately, the appointment of a DPO is relatively straight forward, and from 28th March 2020, ACRA registered entities can register and update their DPO’s BCI via ACRA’s BizFile⁺ portal using their CorpPass accounts.
There are no filing fees associated with the appointment and filing of DPO on ACRA.
The appointment process is as follows:
- Login to ACRA’s BizFile+ portal using your CorpPass account
- At the top bar, select eServices > Others
- 3. Register/ Update Data Protection Officer(s).
- The appointment of a DPO is mandatory.
- Understand the roles and responsibilities of a DPO.
- For ACRA registered entities, file the appointment on BizFile. Most small businesses would usually appoint their director also as the DPO. Alternatively, you may also consider outsourcing the role of a DPO to various service providers.