PDP Commissioner issues supplementary guidelines relating to Data Protection Officers

29 October 2025

On 1 August 2025, the Personal Data Protection Commissioner (“Commissioner”) issued three supplementary guidelines on Data Protection Officers (“DPO”) under the Personal Data Protection Act 2010 (“PDPA”), providing clarification on the responsibilities of DPOs and DPO Training Service Providers.

This article provides an overview of these supplementary guidelines.

DPO Competency Guideline 

The DPO Competency Guideline provides clarity on the attributes required in a DPO. Pursuant to the Guideline on the Appointment of Data Protection Officer issued by the Commissioner on 25 February 2025 (“DPO Appointment Guideline”), an appointed DPO must possess an adequate level of skills and expertise. Although the minimum professional qualifications for a DPO are not prescribed, the DPO Competency Guideline highlights the essential knowledge, skills, and abilities that a DPO should possess to perform their duties effectively, with competence required in the following core areas:

  • Advisory & Support
  • Risk Management & Assessment
  • Compliance Oversight & Monitoring
  • Audit & Reporting
  • Communications & Stakeholder Engagement
  • Regulatory & Data Subject Management

(collectively, “Core Competency Areas”).

Two-tier competency structure

All DPOs must demonstrate competence in each of the Core Competency Areas when performing their duties (“Fundamental Tier”), either through their own expertise, the support of an internal DPO team, or the engagement of third-party experts for a specific Core Competency Area.

In certain cases, a DPO is expected to have a higher level of competence to lead strategic and organisation-wide personal data protection initiatives (“Advanced Tier”), taking into account the size, complexity, and risk exposure of the organisation’s personal data processing activities. An Advanced Tier DPO is expected to be equipped with the core skills under the Fundamental Tier but with greater independence and a higher level of expertise.

The DPO Competency Guideline is available here and the DPO Appointment Guideline is available here.

Management of DPO Training Service Providers Guideline

The Management of DPO Training Service Providers Guideline (“DPO Training Service Providers Guideline”) sets out the Commissioner’s expectations for the quality, structure, and relevance of training programmes offered by training providers to appointed DPOs (“Training Providers”).  

Training services must be delivered by Training Providers recognised by the Commissioner. A recognised Training Provider should have the capacity, infrastructure, and capability to deliver DPO training programmes that cover the following areas:

  • PDPA and other applicable personal data protection requirements, including any relevant personal data protection practices;
  • Organisational operations and personal data processing activities that a DPO must understand;
  • Principles of information technology and data security relevant to personal data protection;
  • Development of integrity, a sound understanding of corporate governance, and adherence to high professional and ethical standards by the DPO;
  • DPO’s capability to promote a personal data protection culture within the organisation;
  • DPO’s responsibilities to the organisation, data subjects, and the Commissioner, including assisting with Data Protection Impact Assessments and Transfer Impact Assessments; and
  • DPO’s independence and access to sufficient resources to carry out their responsibilities.

To obtain recognition under the DPO Training Service Providers Guideline, a Training Provider will be assessed by the Commissioner with reference to the:

  • trainer’s qualifications and experience in personal data protection;
  • Training Provider’s delivery capacity and infrastructure;
  • methods used to evaluate participants’ understanding; and
  • training curriculum.

In addition to applying for formal recognition from the Commissioner, Training Providers are encouraged to ensure that their training programmes and supporting materials align with the criteria set out under the DPO Training Service Providers Guidelines.

The DPO Training Service Providers Guideline is available here.

DPO Professional Development Pathway and Training Roadmap

The DPO Professional Development Pathway and Training Roadmap (“Roadmap”) sets out a structured framework to guide the development of appointed DPOs, ensuring that training, certification, and assessment meet quality and competency standards and regulatory requirements under the PDPA.

The Roadmap provides that training at the Advanced and Fundamental Tier should be anchored to the Core Competency Areas in the DPO Competency Guideline to equip DPOs with the knowledge and skills needed to carry out their regulatory and organisational functions.

Training in the Core Competency Areas may be provided by recognised Training Providers, with appropriate assessment mechanisms in place to ensure that the intended competencies set out in the DPO Competency Guideline have been attained.

The Commissioner may also implement a professional certification pathway comprising two certifications - Certified DPO (Fundamental) and Certified DPO (Advanced) - that can take the form of short-term certificates of completion or long-term professional certification. Where relevant, internationally recognised professional certifications may be considered by the Commissioner for recognition towards Certified DPO (Advanced).

The Roadmap is available here.