The privacy landscape in the Asia-Pacific (APAC) region is evolving rapidly with increased regulatory developments and scrutiny on data protection. Over the last five years, many countries have enacted new privacy laws or amended existing laws to keep pace with technology and best practices in other parts of the world. Recent regulatory changes include China’s Personal Information Protection Law, Thailand’s Personal Data Protection Act, India’s Data Protection Bill 2021 and amendments to the Singapore Personal Data Protection Act.

Several countries require the appointment of a Data Protection Officer (DPO) or equivalent person responsible for ensuring privacy compliance within the organisation. This requirement has resulted in an increased demand for individuals with privacy experience. As privacy is still a developing area in APAC, it can be difficult for organisations to find the right candidate with sufficient experience and professional qualifications to fill a specific role within the organisation. 

This article discusses some considerations for hiring DPOs to bring the best value to the organisation rather than being another tick-the-box legal requirement to fulfil. 

Legal vs. Security Backgrounds

From a governance and reporting perspective, a DPO could potentially sit either in a Legal/Compliance function, or as part of the IT/Security function insofar as there is no direct conflict of interest with their formal responsibilities. Choosing an individual with the right skills depends on business needs and where privacy is situated within the organisation. 

Legal/Compliance: A DPO needs to understand both the legal rules under data protection and privacy laws, plus any specific industry requirements applicable to data. Someone with a legal background may be preferred where the company is part of a regulated industry or is subject to laws in multiple jurisdictions. Examples include: financial services (banking and finance), healthcare and life sciences, telecommunications, and aviation. 

Legal experience or training may be useful when dealing with complex issues such as interpreting multiple country requirements or working with regulators. This can be particularly useful as APAC privacy laws have different levels of maturity and requirements to handle and transfer personal data abroad can differ from country to country. Multinational companies may prefer someone with a working knowledge of GDPR (General Data Protection Regulations) or CCPA (California Consumer Privacy Act) as they may have applied that as a baseline standard across the entire group for consistency. 

Other notable transferrable skills from candidates with a legal or compliance background may include:

• Reviewing contracts for data protection clauses
• Assessing data breach notification rules
• Conducting privacy due diligence on selected areas of the business and/or vendors 
• Liaising with external counsel where additional advice may be sought on a developing area of law

Furthermore, some organisations may seek to leverage legal privilege to handle sensitive matters which comes with using an in-house data protection legal counsel.

IT/Security: Much of the personal data used by organisations sits within databases and systems and is otherwise processed through digital means. Therefore, it is important for a DPO to be technology literate and have a good understanding of technology infrastructure with respect to where the data is stored, who it is accessed by and how it is processed by various vendors. Typically, experience in information security will bring with it an understanding of technical and organisational controls and risk management concepts which are increasingly important in framing privacy policy requirements in ways that can be understood and embedded by the business and technology functions. Skills linked with IT audit and risk assessments can also be relevant to the DPO’s role in undertaking privacy impact assessments, maturity and effectiveness of privacy controls and ongoing aspects of accountability and assurance around privacy compliance and related risk management reporting.

A background in information security or technology may be beneficial in more data-driven companies where privacy is treated as a core component of information security and where staff and management also come from a technology or engineering background. This may be the case where companies develop or work closely with personal data and software (e.g. machine learning, software development). Such a role may require more privacy-by-design skills to ensure that data is available, kept secure and is handled appropriately following internal privacy policies on data handling. This role would also require someone with a deeper understanding of information technology and infrastructure to truly understand how a software, program, platform, or app, works. 

Someone with an IT background may find it easier to provide pragmatic recommendations and feedback in terms of integrating privacy by design directly into the product or system development lifecycle and when conducting privacy impact assessments of highly complex technology projects, as they would generally have a better grasp of how the technology works and can communicate requirements and concerns with colleagues in a technical manner. 

Ideally, a candidate who has a blend of legal and information security experience would be able to facilitate discussions between different stakeholders enabling the business to utilise personal data in a compliant manner. An incomplete grasp of either legal or security knowledge may lead to over-engineered solutions, duplicative layers of paperwork, or recommendations, which are difficult to implement in practice. Clear delineation of roles and responsibilities between stakeholders and open channels for communication between legal, compliance, and information security departments will improve the chances of success for projects or initiatives within the company. 

Professional qualifications and skills people don’t talk about

Aside from recognised professional qualifications, several other skills are also desirable in a DPO including project management, stakeholder management and experience using privacy tooling / technology solutions. Diverse language skills may also be important for an APAC-based DPO where English may not be the primary language of local communication.

Professional qualifications: Certification from the International Association of Privacy Professionals (IAPP), Information Systems Audit and Controls Association (ISACA) or other recognised providers may be desirable to ensure that the candidate possesses a foundational level of knowledge about privacy or security requirements. IAPP qualifications applicable to APAC include CIPP/A, CIPT and CIPM. Privacy technology vendors also provide additional certifications for their user courses which can be useful if the organisation is utilising privacy management technology. 

Governance and oversight: The DPO plays a key part in the company’s privacy programme - designing, implementing, and monitoring the privacy program, providing privacy training, and ensuring that privacy policies are adequately applied across the organisation. This requires having project management skills to plan the budget for the year, managing the privacy program, undertaking targeted compliance monitoring or assurance reviews and collecting key privacy metrics across the organisation and reporting to management. 

Stakeholder management: A successful DPO should continuously engage with stakeholders across the business to generate stakeholder buy-in and enhance privacy awareness. This involves frequent interaction and communication with business functions that handle personal data, including:

• Internal-facing functions such as HR
• Finance that handles employee data
• Legal
• Compliance
• IT
• Business strategy
• Information security
• Marketing

Good communication skills and channels increase the visibility of the DPO resulting in more frequent inclusion by senior management on upcoming projects that have a personal data element.

In-house DPO vs. outsourced DPO

Choosing the right model that works for your organisation will depend on your size, budget, available resource and skills, and the amount your company is exposed to privacy risk.

In-house DPO: A full-time DPO may be preferred where companies:

• Handle large volumes of personal data, 
• Process sensitive or high-risk personal data
• The role requires access to confidential or sensitive business information
• Where there may be several ongoing projects
• Initiatives that involve personal data processing that present risks to the organisation

An in-house DPO would not only be drafting and implementing privacy policies and providing privacy advice and recommendations. They also would be frequently engaging with business stakeholders to understand how data is used in different parts of the organisation and conducting ongoing monitoring over the business to gather privacy metrics for reporting and measure effectiveness of the privacy program. Performing these activities can be significantly easier for an in-house role as the individual would be part of the organisation and can receive confidential information about upcoming projects and initiatives.

Outsourced DPO: Organisations that process personal data on a limited basis may be better suited to appointing an outsourced DPO. Management should consider whether the external DPO is able to feasibly provide sufficient coverage over personal data issues in the company – this would not be a suitable option for organisations which are very data-driven or handled large volumes of sensitive personal data. In cases where an outsourced DPO is appointed, the organisation should ensure that there are clear escalation procedures to engage the outsourced DPO and keep them updated on relevant activities. 

Additional resourcing and support for the DPO: Additional support for the DPO should be considered for certain peak periods of the year or to assist with specific tasks or provide insight and expertise in an area where deep subject matter expertise is required. This allows the DPO to focus on higher level priorities and enables management to flex their resourcing whilst avoiding fixed costs which come from permanent headcount additions. 

Conclusions

Keep in mind that APAC is a large region composed of various national laws which have different levels of privacy maturity, languages and varying requirements that apply. Privacy is still very much a developing area in APAC, and it can be difficult finding a candidate who has the necessary background and experience that would be a right fit for your organisation. Hiring a DPO with the appropriate blend of skills and experience to communicate effectively with the organisation and promote privacy awareness and compliance is the first step in building an effective privacy program and framework.  

A&M’s Privacy and Data Compliance Services

Alvarez & Marsal is a management consulting firm that provides privacy and data compliance services and have offices in Europe, the Americas, Middle East and Asia Pacific. We have deep understanding of privacy and data protection regulatory requirements, and our expert team has supported global clients across a range of sectors including financial services, healthcare and technology.

Our privacy and data compliance services include:

• Designing, setting up and providing training to the data privacy office
• Developing and implementing privacy frameworks and programs
• Providing recommendations on privacy and data protection best practices including cross-border data transfers, privacy due diligence on mergers and acquisitions, and privacy risk assessment on vendor due diligence and third-party risks
• Conducting privacy assessments to understand the maturity of privacy in the organisation and benchmarking practices with other players in the industry
• Providing support with data mapping, privacy impact assessments, managing data subject access requests

A&M: Leadership. Action. Results.
A&M’s privacy and data protection professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.