Appointing a Data Protection Officer (DPO) is potentially one of the greatest challenges you face in complying with the General Data Protection Regulation (GDPR). Besides, a host of data privacy regulations worldwide and across industry sectors may demand more than any single DPO could manage. HERE at 360a, you have a team to back you.

 At 360a, we are dedicated to freeing your business from all stress so you can focus on revenue generation. As with our other services, including Accounting, Human Resources, and Business Development outsource, we are proud to help take away the stress of dealing with Data Protection Law. Ensuring your business complies with all of the new 2021 Personal Data Protection Act (PDPA) amendments is essential to doing business in Singapore. 360a is proud to offer our Outsourced Data Protection Officer (DPO) service to help your business navigate all the intricacies of the PDPA.

Aside from the restrictions, there are many benefits at all levels for the PDPA.



  • It gives individuals more control over how their data is collected, used, and disclosed.

  • Allows Individuals to access and correct their data held by organizations.



  • Build Consumer Confidence.

  • Facilitates Safe and Protected Cross-Border Transfer of Information.

  • Enhance Efficiency and Productivity, Branding and Competitiveness.



  • Serves to strengthen Singapore’s position as a trusted hub for data hosting and management activities.

To comply with the PDPA, two steps must be taken by organizations.  

  1. The first step involves appointing a Data Protection Officer (DPO). Companies must designate one or more Data Protection Officers (DPO) to ensure that your organization complies with the PDPA. 

  2. The second step requires that an organization implement Data Protection Processes, including mapping out the Personal Data Inventory. Organizations must also communicate to employees and establish an Internal Audit policy to comply with the PDPA.


360a’s responsibility for our DPOS will be your goto related to your organization's data protection. No company is immune from PDPA scrutiny, with fines ranging from $1 million for large companies like SINGHEALTH and IHiS to small organizations like Singapore RED CROSS or the SMU alumni association fined $5000.

Any organization doing business in Singapore must have a DPO. The DPO will be responsible for ensuring compliance with PDPA when developing and implementing policies and processes for handling personal data. As well as managing personal data protection-related queries and complaints. Your DPO will be your Point-of-contact and directly liaise with the PDPC on data protection matters if necessary. DPOs are essential for increasing awareness, fostering a data protection culture among employees, and communicating personal data protection policies to stakeholders. Being able to assess risks and alert management to any risk that might arise regarding personal data is a primary responsibility for any DPO.


360a’s DPO service includes

  • Registered as Spo for 12 months contract with ACRA

  • Set up Data Protection Officer (DPO) e-mail

  • Add monthly emailer on latest PDPA regulations

  • Conduct a quarterly on-site audit

  • Provide PDPA e-learning for company employees

  • Develop the company privacy policy

  • Provide the company data handling process 

  • Provide advisory on DPDA related queries

  • Provide a risk assessment of data breach (value-added)

  • Provide advisory on ongoing communications with PDPC


By outsourcing your DPO to 360a’s professionals, you will experience many benefits. You will begin saving money immediately with a low annual retainer fee and fast compliance set up by an experienced professional that knows exactly how to handle the PDPA. 360a is a team of Data Protection Officers with proven track records in providing organizations with PDPA compliance risks management solutions and strategies. After the risk assessment of the data breach, if the risk level is determined to be middle or high-risk, 360a will recommend and propose that your organization apply for the Data Protection Trustmark (DPTM). As part of advancing the digital economy strategy to allow Singapore to stand out as a trusted data hub with a well-developed data ecosystem that supports competition and innovation as well as cross border data flow, the PDPC has developed the Data Protection Trustmark (DBTM) Certification to help organizations verify their conformance to personal data protection standards and best practices. The DPTM will be a visible indicator that an organization adopts sound data protection policies.


There are nine main obligations of the PDPA that must be complied with.

  1. CONSENT, you must only collect, use, or disclose personal data with consent. 

  2. PURPOSE LIMITATION can only collect, use, or disclose personal data if it is deemed reasonable and appropriate. 

  3. NOTIFICATION, notifying individuals of the purpose of the collection, use, or disclosure of personal data.

  4. ACCESS and CORRECTION, upon request, organizations must provide information about using or disclosing personal data and correct any error or omission.  

  5. ACCURACY, organizations must ensure that personal data is accurate and complete.

  6. Once an organization has collected the data, PROTECTION is important as security arrangements must be made to protect the personal data.

  7. RETENTION LIMITATION ensures that organizations must cease retention of personal data once personal data is no longer necessary.

  8. TRANSFER LIMITATION makes sure that the transfer of personal data outside of Singapore is prohibited except under PDPA requirements. 

  9. OPENNESS requires companies to make information about their data protection policies, practices, and complaint process available on request.


Since the Singaporean government passed the Personal Data Protection Act (PDPA) in 2012, new regulations have gradually been affected. From 2 July 2014 onward, all Organizations, including SME and Non-Profit Entities, must appoint a Data Protection Officer (DPO) and comply with the Personal Data Protection act 2012 (PDPA), which governs the Collection, Use, and Disclosure of personal data. Compliance with the PDPC is essential, and failure to do so can have far-reaching negative repercussions. The punishments for a breach may include a fine of up to 10% of annual revenue or S$1million, whichever figure is higher. The largest fine imposed so far was a collective fine in January 2019 for the 2018 hacking incident that exposed the data of over 1.5 million patients. Every company must have a designated DPO aware of any changes in the laws or data breach.