by Sarah R. Vasquez, ITX Senior Consultant
Why Appoint a DPO?
A Data Protection Officer (DPO), in pursuant to the mandate of the National Privacy Commission to implement the Republic Act No. 10173 or more popularly known as the Data Privacy Act of 2012, one of is required to be appointed by the organization to ensure the protection of your personal data collection and processing. Apart from complying with the legal obligation, having a DPO is beneficial to your company due to the fact that all companies in the Philippines are now being mandated to comply with the said law.
The DPOs will be accountable for ensuring compliance by the Personal Information Controllers (PIC) or Personal Information Processors (PIP) with the Data Privacy Act, its IRR, related issuances of the National Privacy Commission, and other applicable laws and regulations relating to data privacy and security.
In choosing the best person to perform the role of a Data Protection Officer, here are some of the important highlights on what to prepare and what to expect in return from the DPO in fulfilling the job of ensuring the high-level protection of company data or information.
What are the Qualifications of a DPO?
- Expert knowledge of RA 101 73, the Data Privacy Act of 2012
- Expertise in privacy or data protection policies and best practices
- Good knowledge of the industry or sector, as well as the data protection needs and processing activities of the company
- A full-time or organic employee of the PIC or PIP
- Good public relations and communication skills
- A self-starter and at a management level
Designation of DPO
- Local Government Unit
Each LGU shall designate a DPO. A municipality or barangay is allowed to designate a COP, provided that the latter shall be under the supervision of the DPO of the corresponding province, city, or municipality that that component city, municipality or barangay forms part of.
- Government Agency
All government agencies shall designate a DPO. Each of the subunits of a government agency may designate or appoint a Compliance Officer for Privacy or a COP. The COP shall be under the supervision of the DPO.
- Private Sector
A DPO shall be appointed and designated by the private entities.
Where such common DPO is allowed by the NPC, the other members of the group must still have a COP, as defined in NPC Advisory No. 2017-01 – Designation of Data Protection Officers.2
Duties and Responsibilities of the DPO
A DPO, among other things, shall monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. For this purpose, he or she may:
- collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
- analyze and check the compliance of processing activities, including the issuance of security clearances too and compliance by third-party service providers;
- inform, advise, and issue recommendations to the PIC or PIP;
- ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
- advise the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law.
About the Author:
Sarah Vasquez is an experienced ISMS and Data Privacy Practitioner with comprehensive knowledge and extensive expertise gained in both multinational semiconductor manufacturing and information and communications technology industries. She currently holds the lead role in ECC International’s IT Excellence domain.
Know more about her here: https://www.linkedin.com/in/sarahrvasquez/