In Singapore, the demand for roles requiring data protection expertise increased by 26% in 2021, after doubling the previous year. As more countries around the world, including in Southeast Asia, adopt and evolve their own data protection laws, this trend is expected to continue.
The changes of recent years are allowing companies to see that simply complying with data protection requirements falls short of their overall plans in relation to data - they are already transitioning from data protection to data governance. This means moving from risk management to using data for value creation. Data protection addresses the dangers of handling personal data, while data governance seeks to decrease the risk and increase the value obtained from data, including personal data.
Data protection professionals are thus also seeking continuous learning to keep their skills and competencies in line with the new demands of their evolving roles or to equip themselves for more highly paid roles that embrace data governance.
Why DPOs are essential
The Covid-19 pandemic has accelerated digital transformation, such that businesses that do not digitalise their operations put themselves at a disadvantage. But while digitalisation has brought convenience, speed and innovation, organisations are beginning to recognise the new risks that come with it.
One of these is the risk of failing to build good personal data processes into the way they do business. Ensuring data protection requires a specific set of skills to manage personal data at all stages – collection, use, disclosure and storage – which is why organisations are scrambling to find data protection officers (DPOs).
With data protection being a specialised skill, individuals holding privacy certifications such as ISO 27001, ISO 27701, and IAPP certifications are becoming highly valued. DPOs are not responsible personally for an organisation’s data protection competency and compliance – that responsibility falls to senior management, up to and including the board of directors – and they certainly do not do all the necessary work on their own.
But DPOs do play a vital role in helping to guide the policies of an organisation and develop standard operating procedures to operationalise those policies. Supported by the “tone at the top” of an organisation, and working with department and business unit heads, they are also skilled at promoting best practices and ensuring compliance with prevailing laws and requirements.
DPOs can deliver legal and financial benefits
In the European Union and Singapore, enforcement cases have been on the rise in recent years. Singapore has also raised the ceiling on its fines for compliance failures, including data breaches – and more countries are expected to follow suit.
Fines may be costly. In mid-2021 Amazon was fined €746 million for non-compliance with general data processing principles in the EU. In July 2022, the Greek supervisory authority imposed a fine of €20 million on Clearview AI in relation to its data collection and use practices.
Sizeable as they can be, fines are usually the least of an organisation’s problems while under investigation. The financial impact of a data breach, for example, extends to the costs of investigating the source of the breach, which may require hiring cybersecurity experts, losses due to downtime, the loss of assets and data, and the loss of trust in its customers.
In addition, regulators may impose penalties in addition to fines. Clearview AI was banned from collecting and processing the personal data of people living in Greece and ordered to delete any data on Greek citizens that it has already collected.
As for Amazon, although payment of its fine has been suspended pending an appeal last December, it continues to loom and will likely be incurring ongoing costs, including legal fees and costs arising from management distraction.
A survey by Adobe showed that among APAC consumers, 66% would not purchase again from a brand that breaks their trust. Maintaining consumer confidence helps to ensure brand loyalty, which is generally necessary for continuing growth in revenues.
How you can assist the DPO
A DPO cannot do it all and is not meant to do it all. While the DPO may oversee overseeing the organisation’s Data Protection Management Program, data protection is the responsibility of everyone in the organisation.
Management buy-in and the cooperation of staff and managers at all levels are essential for the business to rise above the threats to personal data. It is important for everyone in the organisation to have the right mindset when it comes to data protection.
Thus, business unit staff must be given sufficient training on data protection processes relevant to their day-to-day tasks. Line managers are also expected to ensure that best practices relating to data protection are consistently implemented in their teams.
Lastly, data protection is not a one-off exercise. The management of many organisations seems to think that data protection is something you learn once, set up, and then leave alone.
In fact, it is a continual process – it must be part of the company’s daily operations, and policies and standard operating procedures must be reviewed and updated periodically to ensure that they support operations and reflect any changes in the data protection law and emerging views of supervisory authorities.
The challenges of finding a DPO
Demand for DPOs is growing rapidly, as evidenced by a rising number of data privacy, data protection and data governance roles being advertised, and salaries are on the rise for data protection professionals globally.
However, the difficulty lies in finding certified and experienced data protection professionals to fill the roles, particularly as more organisations pivot from data protection to data governance.
Some of the competencies expected from a DPO include Data Protection Management, Business Risk Management, Cyber and Data Breach Incident Management, Stakeholder Management, and Data Governance.
Several of these are covered in the various privacy certifications mentioned earlier, such as the ISO 27701 standard and certifications awarded by the International Association of Privacy Professionals (IAPP). In some industries, skills in Audit and Compliance, Data Ethics, Data Sharing, and Design Thinking are also highly valued for DPOs.
The DPO role is also highly collaborative and involves change management – which is why soft skills such as project management, negotiation, and leadership are also required.
Adaptability is also a must for DPOs, particularly given today’s highly volatile environment. As new technologies sprout, data protection practices must simultaneously adapt. Communities for data privacy professionals like the DPEX Network help DPOs pursue continuous learning, stay updated, and connect and learn from fellow DPOs in various industries.
It is no surprise that DPOs are gaining traction – and wise business leaders would know why and what steps to take next.