Accept or Reject: Obtaining Consent from Data Subjects

A Data Protection Officer (DPO) ensures that an organisation’s data collection, processing and use complies with applicable data protection rules and regulations. DPOs are generally data protection experts with specialized knowledge and experience. They provide advice and guidance on best practices, compliance, policies and procedures, education and training, risk management and data breach response protocols.

The rapid pace of data creation, accelerated by content generated by AI, social media, streaming, digital transactions and smart technology, has increased government intervention in data governance and protection.

As such, certain jurisdictions require that companies appoint a DPO, while others strongly recommend it. This article explores the DPO requirements, qualifications and responsibilities in countries within Globalaw’s Asia Pacific region, including Hong Kong, India, Japan, South Korea, and Taiwan.

DPO Requirements by Jurisdiction

Appointing a DPO is a recommended practice rather than a requirement in both Hong Kong and Japan. By contrast, South Korea requires most companies to appoint a DPO, except those with fewer than 10 permanent employees.

In India, DPOs are required for significant data fiduciaries. While Taiwan does not require DPOs, certain industries mandate the designation of data protection personnel.

• Hong Kong: Recommended
• India: Required for significant data fiduciaries (to be notified by the government)
• Japan: Recommended
• South Korea: Required for companies with more than 0 permanent employees
• Taiwan: Required by certain industries to designate responsible personnel

Qualifications of a DPO

For Hong Kong, Japan, Taiwan, and South Korea, there are no mandatory certifications, licenses, or qualifications required before someone can be appointed as a company’s DPO.

While there are also no legal or technical qualification mandates for India, a DPO shall be (a) based in India, and (b) be an individual responsible to the Board of Directors or similar governing body of the significant data fiduciary.

Responsibilities of a DPO

The responsibilities of a DPO vary by jurisdiction and, in some cases, by industry and are authorized by the governing authority of that jurisdiction.

Hong Kong

Governing Body: The Office of the Privacy Commissioner for Personal Data (PCPD).

The PCPD provides the following recommendations:

• Establish and implement the Privacy Management Programme (PMP), such as maintaining a record of the organisation's data inventory, conducting periodic risk assessments, and providing training and education.
• Review the effectiveness of the PMP, including preparing an oversight and review plan.
• Report regularly to top management on the organization's compliance issues, problems encountered, and complaints received related to personnel.

India

Governing Body: Government of India, Ministry of Electronics and Information Technology (MeitY)

Under the Digital Personal Data Protection Act (DPDP), the DPO shall represent the significant data fiduciary under the provisions of the legislation and be the point of contact for the grievance redressal mechanism.

Japan

Governing Body: Personal Information Protection Commission

A DPO is not subject to any legally mandated responsibilities.

South Korea

Governing Body: The Personal Information Protection Commission

Under the Personal Information Protection Act (PIPA), the DPO handles personal information for business purposes to comply with the regulations. These responsibilities include:

• Overseeing the handling and protection of personal data,
• Establishing internal policies and safeguards,
• Responding to data subject requests (e.g., correction, deletion),
• Managing incident response for data breaches,
• Serving as the liaison with the Personal Information Protection Commission (PIPC),
• Conducting regular audits and training

Taiwan

Governing Body: The Taiwanese government is in the process of forming the Personal Data Protection Commission.

Only specific industries are required to designate responsible personnel, and sector-specific regulations govern their responsibilities.

--

This article is part of a series by our Globalaw APAC Data Privacy & Protection Taskforce members.

Globalaw’s APAC Data Privacy & Protection Taskforce comprises 15 law firms in the Asia-Pacific region with specialized expertise in advising international companies on how to implement and manage a multijurisdictional data protection program.

Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain sophisticated and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations.

Explore the Globalaw APAC Data Privacy & Protection Taskforce brochure for more information and regional contacts.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Information, including laws and statutes, cited are subject to change and is accurate as of 30 June 2025, but readers should verify such current status. We and our member firms shall not be held liable for any loss and/or damage incurred by any person acting as a result of the information contained in this article. Reliance on this content is at the reader’s own risk, and no attorney-client relationship is formed by reading or acting upon this article. Always seek professional legal counsel to ensure compliance with applicable laws and regulations.

October 1, 2025 – Globalaw, a leading network of independent law firms, announces the launch of its APAC Data Privacy & Protection Taskforce, comprising 15 law firms in the Asia-Pacific region with specialised expertise in advising international companies on implementing and managing multijurisdictional data protection programmes.

“International companies face an ever-changing web of data privacy and protection laws," said Globalaw President Peter J. Brown. “Globalaw’s APAC Data Privacy & Protection Task Force provides seamless, cross-border expertise to help clients navigate these issues with clarity and confidence. Our member firms offer strategic advice and legal support to reduce risks, ensure compliance, and build long-term trust.”

Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain responsible and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations. Whether addressing GDPR, CCPA, or emerging data protection frameworks across multiple jurisdictions, our network grants access to the following firms offering consistent, high-quality guidance in the Asia-Pacific region:

Australia: McInnes Wilson

China: GoldenGate Lawyers

Guam: Calvo Jacob & Pangelinan, LLP

Hong Kong: Oldham, Li & Nie

India: Abacus Legal Group

India: Ahlawat & Associates

Indonesia: Bagus Enrico & Partners

Japan: Chuo Sogo LPC

Korea: DLG Law Corporation

Malaysia: Abdullah Chan & Co

New Zealand: Simpson Western

Philippines: CDRP Law

Singapore: Goodwins Law Corporation

Taiwan: Stellex Law Firm

Thailand: Legal Advisory Council Limited

Globalaw introduced the Sports Law Taskforce earlier this year, which provides dedicated legal counsel and representation for athletes and stakeholders worldwide. Visit Globalaw Publications & Resources for more information.

About Globalaw

Globalaw is a Chambers Global-ranked Band 1 Leading Law Firm Network of approximately 80 independent law firms and 4,000 lawyers in over 60 countries. Our mission is to foster seamless legal collaboration among member firms and assist them in delivering high-quality, cost-effective solutions to their clients worldwide. We take pride in our commitment to excellence, global reach, and innovative approach to legal services. Visit www.globalaw.net to learn more.

Media Contact:

Jaime Luckey

marketing@globalaw.net

Globalaw has expanded its coverage in Africa with the addition of two new member firms: Marghany Advocates and ABMAK Associates, Advocates & Legal Consultants.

⎯

Based in Cairo, Egypt, Marghany is recognized as a leading M&A firm with additional expertise in competition and corporate law, compliance and corporate governance, data protection and media and advertising. With a 38-year history, the firm is led by Managing Partner Amir Marghany and is consistently ranked in Legal500.

For more information about Marghany, visit https://www.marghany.com/.

⎯

ABMAK is headquartered in Kampala, Uganda, and is the market leader in energy, mining, and oil and gas. Additional practice areas of specialisation include corporate and finance, tax and revenue, employment, dispute resolution, and environmental and social governance. Managing Partner Aisha Naiga Wamala heads the 16-year-old firm, which has been ranked in Chambers’ Global Guide for 10 consecutive years.

For more information about ABMAK, visit https://abmak.org/.

Globalaw President Peter Brown sat down with Expansión to discuss the organization's growth and development and how Globalaw’s strong international footprint positions member firms to provide clients with the knowledge, connections, and resources needed to successfully navigate through current challenges and unpredictability. 

Read the article →