In search of data protection officers

In search of data protection officers
PUBLISHED ONApril 22, 2014 3:04 AMByKenny Chee

SINGAPORE - Many companies here could have trouble finding the right people to ensure they do not breach the new personal data protection rules, going by survey results released last month.

A study of 50 companies here found that small and medium-sized enterprises (SMEs) were more worried than multinational corporations (MNCs) about this.

This could be because there is a limited pool of data protection officers equipped to do the work.

Data protection officers are responsible for making sure that an organisation follows the guidelines and complies with the new act.

The study was done in the second half of last year by Protiviti, a consultancy firm that is a subsidiary of the recruitment firm Robert Half.

Protiviti had asked firms to rate their level of concern on several data protection matters, on a scale of one to five (one being "least worried").

For hiring or appointing a data protection officer, SMEs, on average, had a score of four. MNCs were less worried, with a score of two.

Fined up to $1 million

Of the firms polled, 60 per cent were SMEs (defined as firms that earn up to $100 million a year). The rest were MNCs. There are 170,000 SMEs here and they account for almost all enterprises, according to Spring Singapore.

The survey results were released ahead of July 2, when the Personal Data Protection Act kicks in. Firms will then need consent from consumers to collect and use their personal data, under the Act. Those who break the rules can be fined up to $1 million.

There may be few data protection officers available simply because the Data Protection Act is new, said the managing director of Protiviti South-east Asia, Mr Sidney Lim.

"The extent of work required for an organisation may not be clear right now," he added.

Besides expertise in compliance issues, data protection officers need experience in legal, information technology and operational matters, he said. This is partly because the law deals with many aspects of data protection, including data collection.

Pooling resources

MNCs likely have it easier than SMEs because they have more resources to engage data protection officers and may be able to pay them better, said Mr Lim.

How have SMEs coped? Protiviti's findings suggest that many do not hire a data protection officer, opting instead for an existing employee - such as from the operations, legal or human resource departments - to fill the role, said Mr Lim.

The Association of Small and Medium Enterprises (Asme) said some SMEs, which cannot afford to hire such officers, plan to pool funds with others in the same industry to get a law firm or consultant to help with data protection compliance.

Asme council member Eric Tan said it is also planning a programme to train professionals, managers and executives for data protection roles.

The training programme is due to be launched within three months and is expected to train 2,000 people this year.

kennyc@sph.com.sg

This article was published on April 16 in Digital Life, The Straits Times.

Get a copy of Digital Life, The Straits Times or go to straitstimes.com for more stories.

This website is best viewed using the latest versions of web browsers.