Data Protection Officer
07 October 2025
DATA PROTECTION OFFICER
Further to our previous alert titled “Action Required: New Guidelines on Data Protection Officer Appointment, Data Breach Notification, and Cross-Border Personal Data Transfers” which was published on 29 May 2025, the Personal Data Protection Commissioner (“Commissioner”) has released another two (2) important sets of guidelines and one (1) set of roadmap on 21 July 2025 that specifically deal with data protection officers, namely:
- the Data Protection Officer Competency Guideline (“Competency Guidelines”);
- the Management of Data Protection Officer Training Service Providers Guideline (“Training Guidelines”); and
- the Data Protection Officer Professional Development Pathway & Training Roadmap (“Training Roadmap”).
Part A: Competency Guidelines
The Competency Guidelines provide additional guidance to complement the Appointment of Data Protection Officer Guideline (“DPO Guideline”), outlining the responsibilities and core competency areas of a Data Protection Officer (“DPO”).
According to the Competency Guidelines, the core competency areas expected of a DPO, along with their corresponding descriptions and references to the DPO Guideline are as follows:
| Competency Area | Description |
| Advisory & Support | Provide guidance on personal data protection matters, including:
• new initiatives that may impact personal data protection; and • the application of personal data protection laws to the operational activities of data controllers and data processors. |
| Risk Management & Assessment | Identify, assess, and mitigate risks related to the processing of personal data by the data controller or data processor, covering the full lifecycle of personal data. |
| Compliance Oversight & Monitoring | Oversee adherence to personal data protection laws and policies within the organisation to ensure continuous compliance. |
| Audit & Reporting | Prepare compliance reports, conduct and/or facilitate regular personal data audits, and ensure accurate documentation of personal data protection activities. |
| Communications & Stakeholder Engagement | Support the organisation’s personal data protection efforts through:
• Engagement with internal and external stakeholders to ensure the implementation and adherence to security policies and personal data protection practices. • Carrying out training and awareness initiatives to educate staff on personal data protection laws, policies, and best practices. |
| Regulatory & Data Subject Management | Acts as a key contact point for both the Commissioner and data subjects.
• Liaise with the Commissioner on regulatory matters, compliance obligations, and personal data breach notifications. • Handles data subject matters, including personal data protection-related queries, internal and external inquiries, complaints, personal data access and correction requests. |
In addition, the Competency Guidelines set out two (2) tiers of competency for DPOs:
- Fundamental Tier:
The minimum core competencies required to carry out the functions and responsibilities of a DPO.
- Advanced Tier:
Higher-level competencies needed to lead strategic and organisation-wide personal data protection initiatives, building on those in the Fundamental Tier.
Pursuant to the Competency Guidelines, all DPOs are expected to meet the competencies under the Fundamental Tier. The appointment of a DPO with Advanced Tier competencies is not required in all cases as the need for such competencies should be assessed based on the size, complexity, and risk exposure of the organisation’s personal data processing activities.
Part B: Training Guidelines
The Training Guidelines are to provide a framework for the recognition and oversight of training providers to ensure that the appointed DPOs receive training that:
- meets the expected quality standards;
- equips them with the necessary knowledge and skills to carry out their responsibilities effectively; and
- complies with the requirements under the PDPA.
Pursuant to the Training Guidelines, the Commissioner may, where necessary or expedient:
- determine courses and training programmes for DPOs; and
- establish professional skills benchmarking mechanisms to assess DPO competencies.
A training provider should demonstrate the necessary capacity, infrastructure, and capability to deliver DPO training programmes that meet the requirements outlined in the Training Guidelines.
In addition, a training provider seeking recognition under the Training Guidelines should also demonstrate the capability to deliver training programmes that equip the appointed DPOs with the competencies required to carry out their responsibilities effectively.
Part C: Training Roadmap
The purpose of the Training Roadmap is to set out a pathway to support the development of the appointed DPOs, ensuring that training, certification, and assessment components meet the quality, standards, and regulatory requirements established under the PDPA.
However, please note that the implementation of the Training Roadmap remains subject to further determination by the Commissioner.
This article is intended for general information. It should not be regarded as legal professional advice.
If you have any questions about how this development may impact your organisation or business, please feel free to reach out to Mr. Tan Gian Chung (Partner), Nina Lai Jian Xian (Partner) and Nyau Kok Cheong, Jeff (Partner) of our firm’s Technology, Multimedia & Telecommunications (TMT) Law Department, for further advice.
This alert is prepared with the assistance of Sai Jia Siang (Associate).