Summary Findings: 10,000 Data Protection Professionals needed in Singapore within the next three years

Conducted by Straits Interactive

More than 10,000 Data Protection Professionals needed in Singapore within the next three years

Significant demand expected as companies ramp up their compliance with data protection laws and company leadership grapples with cyber-security issues

Straits Interactive, a specialist in personal data protection and governance, is forecasting that more than 10,000 data protection professionals will be needed in Singapore over the next three years.

The study, conducted in February 2017, identified two key drivers. New and enforcement of existing data protection laws in the ASEAN region and in the European Union, resulting in local companies ramping up with their compliance with the Personal Data Protection Act as well as those with overseas operations. The other driver is company leadership grappling with cyber-security issues.

The Personal Data Protection Act (PDPA) includes ‘Do Not Call’ rules and data protection rules. The data protection rules have been in force in Singapore since 2 July, 2014. They require all organisations in the private sector to appoint a data protection officer (DPO). The role of the DPO is to ensure compliance with the the data protection rules in the PDPA. Compliance includes how the organisation collects, uses and discloses personal data, and how it safeguards personal data under its care. Safeguarding personal data includes keeping it safe from cyber attacks, including where they are made possible by untrained, negligent or disgruntled staff.

Any organisation that breaches the data protection rules can be fined up to $1 million. Where offences under the PDPA are attributable to neglect on their part, directors, CEOs and other corporate officers can be personally liable for them.

About the Survey Conducted

Straits Interactive made its forecast after analysing the number of enterprises in Singapore, open job positions in the market that referenced data protection company requirements, as well as worldwide and regional trends that it expects will increase demand for data protection expertise.

The research survey compared two periods – July 2016 (three months after the Personal Data Protection Commission (PDPC) commenced enforcement actions in April) and in February 2017. It looked for open job positions available on popular job portals that referenced data protection in one way or another – job description or entry criteria. It found a total of 118 advertised positions, about 300% more than in July 2016 when only 42 such positions were advertised. Of the 118 advertised roles in February 2017, 17 were DPO roles.

Between April 2016 and February 2017, the PDPC has been creating and delivering educational and awareness campaigns and actively enforcing compliance with the PDPA. The PDPC has also warned or fined organisations from various sectors ranging from small SMEs offering goods or services to consumers, retailers, and non-profit organisations to an insurance multi-national.

“We can certainly conclude that enforcement actions over the last few months involving more than 25 companies that got into trouble with the PDPA, combined with the PDPC’s education and awareness outreach, have prompted more companies to include data protection in their job search criteria,” said Kevin Shepherdson, CEO of Straits Interactive. “We are expecting a significant increase in demand for data protection skills once heavier fines are imposed and as new laws in the region and the European Union are introduced over the next year or so. The 10,000 data protection professionals that we are forecasting over the next three years is a conservative estimate and presents an opportunity for Singapore to position herself as a hub providing data protection expertise to the region.”

This ties in with recent research done by the International Association of Privacy Professionals. “According to research released in November of 2016, the IAPP estimates that GDPR requirements will give rise to a need for more than 75,000 data protection officers in companies worldwide, including some for Singapore” said Rona Morgan, Managing Director, IAPP Asia. “The mandatory DPO requirement in Singapore gives rise to the need for many more. 10,000 is a large number but it shows the growing importance of the role of the data protection officer and the need for these professionals to be trained and professionally certified to be able to perform their roles effectively and credibly.”

Summary of the findings

Here is a quick summary of the findings:

  • In February 2017, the survey found a total of 118 advertised job positions that included data protection as one of the job specifications or preferred experience factors
    • More than a 300% increase compared to findings for July 2016 (118 vs 42) for the overall positions available
  • Up to a 200% increase in major job portals such as Monster.com, Jobstreet and Region Up
    • Monster.com (28 available positions in February 2017 vs 14 in July 2016)
    • Jobstreet.com – February 2017 (15) vs July 2016 (8)
  • The three largest sectors were the IT sector (24%) and regulated sectors such as financial services – banking/finance (18%) and insurance (10%)
  • The top job categories were Information Technology (32%), Compliance (22%), Legal (16%)
  • Only 17 out of the 118 open positions listed a DPO role as either the main role or one of multiple roles. MNCs such as Great Eastern Life, Facebook, Uber and Nike have all been advertising for dedicated data protection or privacy officers to fill either local or regional positions. NUS was the only local entity our survey found advertising a specific position for its Office of Privacy and Compliance
  • An overwhelming number of legal counsel positions now list experience or expertise in data privacy and protection as a preferred consideration

Data Protection vs Cyber Security

Cyber-security and data protection are inter-related because the data protection rules in the PDPA require organisations to safeguard personal data. The survey found that many organisations focused on this requirement – there were four times more job posts referencing cyber-security than data protection/privacy.

Job PortalData ProtectionCyber Security
Jobstreet14137
Monster30124
RegionUp1741
LinkedIn57166
Total118468

Taking the cyber-security focus into account as well as the expanded scope of data protection beyond IT, legal and compliance function, the report projects that more than 1,000 job positions will have referenced data protection-related skills or qualifications by the end of 2017. Straits Interactive expects this to increase by 115% compound annual growth rate (CAGR) over the three next years to hit more than 10,000 by the beginning of 2020.

While there has been a greater emphasis on cyber-security skills upgrading among security and IT professionals at the technical level, lesser emphasis has been placed on data protection at the supervisory and management level in terms of re-skilling and training, accounting for the expected the shortage of data protection expertise.  

An overall framework is required by organisations at the people, process and technology (or systems level) to safeguard personal data as well as to protect against cyber or online attacks. Cybersecurity is at the systems while data protection is important at the “people” and “process” level as the root cause of many data breaches are at these levels.

“The Committee on the Future Economy (CFE) has identified the need to strengthen Singapore’s capabilities in data and cyber-security. Data protection and privacy expertise are key to helping organisations proactively handle data security and privacy issues at the management level,” said Dr. Lim Lai Cheng, Executive Director, SMU Academy. “The need to address cyber-security issues, emerging technologies such as Big Data, and data protection laws will create an industry shortage for data protection professionals. It can be solved by reskilling those looking for a mid career change and the unemployed who have managerial experience in departments and functions handling personal data.”

Seven Factors Creating Ongoing Demand for DPOs

Seven key factors were identified in the report released by Straits Interactive that will create ongoing industry demand for DPOs:

  1. All companies and other businesses operating in Singapore must comply with the PDPA;
  2. The PDPA mandates appointment of at least one DPO;
  3. The PDPC is actively enforcing the PDPA with more than 25 companies getting into trouble so far;
  4. More countries in the region are introducing data protection laws and countries that already have them are increasing their enforcement activity;
  5. Organisations in the region, including Singapore, must comply with new European data protection law from early 2018 if, for example, they market their goods or services to Europeans;
  6. Continued high profile data breaches worldwide;
  7. Smart Nation Vision and Singapore’s ‘digitalisation’ drive.

Besides an increasing number of positions available for data protection professionals in the next three years, including complementing cyber-security roles, Straits Interactive expects more companies to look for data protection skills in many existing job roles that require processing of personal data – this
ranges from sales and marketing, to human resource, operations, and IT roles, in addition to the usual legal and compliance positions.

Straits Interactive currently offers the only hands-on Data Protection Officer (DPO) training in the Singapore market with 322 trained data protection officers in 2016. It also offers dedicated courses to prepare individuals for the International Association of Privacy Professionals various certifications – CIPM (Certified Information Privacy Manager) for DPOs, CIPT (Certified Information Privacy Technologist) for those in the info–comm sector, as well as the recently introduced CIPP/A (Certified Information Privacy Professionals, Asia) for legal professionals and regional data protection professionals. All these courses are funded under the CITREP+ scheme.