A Primer on Data Protection Officers

A Primer on Data Protection Officers

In the midst of growing data breaches affecting a wide array of industries and applications, it has been increasingly necessary to safeguard personal data collection and processing through more stringent policies. The latest General Data Protection Regulation (GDPR) of the EU requires companies which handle personal data of European citizens to strictly comply with the GDPR standards. This recent development inevitably pushes the Philippines to stay abreast with its cybersecurity measures.[1]

One of the key features of the latest GDPR is requiring certain companies to appoint a Data Protection Officer (DPO) to oversee GDPR compliance.[2] Correspondingly, one of the 5 pillars of compliance to the Data Privacy Act (DPA) of 2012[3] is mandating organizations to appoint a DPO.[4]

What is a Data Protection Officer?

 With its enterprise security leadership role in data privacy, a DPO is responsible for the overall management and oversight of data protection strategy and implementation by personal information controllers (PIC) and personal information processors (PIP) as well as compliance with the DPA, its Implementing Rules and Regulations, related issuances of the National Privacy Commission (NPC), and other applicable laws and regulations pertaining to data privacy and security such as the GDPR.

The NPC has emphasized that apart from leveraging customer services and responsiveness to the demand for personal data protection, a DPO can sustain a company’s global competitiveness in data protection.

What are their Duties and Responsibilities?

DPOs of data controllers and processors are expected to perform the following functions[5]:

  1. In order to monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies, a DPO may do the following:
    1. collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
    2. analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
    3. inform, advise, and issue recommendations to the PIC or PIP;
    4. ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
    5. advice the PIP or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
  2. To ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
  3. To advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
  4. To ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
  5. To inform and cultivate awareness on privacy and data protection within his organization, including all relevant laws, rules and regulations and issuances of the NPC;
  6. To advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
  7. To serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
  8. To cooperate, coordinate and seek the advice of the NPC regarding matters concerning data privacy and security; and
  9. To perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.

As a security measure, the DPA requires that the designation, postal address, dedicated telephone number, and email address of the DPO must be included in the website, privacy notice, privacy policy, and privacy manual of the organization. While the name or names of the DPO need not be published, it must be made available upon request of the data subject or the NPC. The name and contact details of the DPO are also necessary for the data processing system registration. On the other hand, the GDPR requires the publication of the DPOs information and that the same be provided to all regulatory oversight agencies.

What are the Qualifications of a DPO?

 Based on the guidelines set forth by NPC Advisory 17-01 dated March 14, 2017, a DPO must be a full-time or organic employee of the government agency or private entity. One of the main competencies of a data protection officer includes knowledge on pertinent policies and practices in privacy or data protection and the processing operations of the PIC or PIP. Meanwhile, Article 37 of the GDPR expressly requires a DPO to have “expert knowledge of data protection law and practices” in order to fulfill the tasks set forth in Article 39 of the GDPR. The regulation also specifies that the necessary level of expertise of the designated DPO should align and be consistent with the company’s data processing operations and the extent of data protection required for the data being processed by PICs or PIPs.

Who are Required to Appoint a DPO?

 Any natural or juridical person or any other body in the government or private sector engaged in the processing of personal data of individuals residing within and outside the Philippines are required to have DPOs. Meanwhile, individual PIC or PIP shall be a regarded as de facto DPOs.

A PIC or PIP may opt to have more than one DPO depending on the complexity and size of its operations.  If the employment of the DPO is based on a contract, the term of the contract should be at least two (2) years to ensure stability. While controllers and processors may outsource or subcontract the functions of its DPO, to the extent possible, the DPO must oversee the performance of his or her functions by the third-party service provider or providers. The DPO shall remain to be the contact person of the PIC or PIP vis-à-vis the NPC. It is also possible to have the same individual oversee data protection for related organizations, as long as it is manageable for him and he is easily accessible by anyone from any of the related organizations.

Addressing Difficulties and Preventing Conflict of Interest

 The increase in the demand for DPOs – a projected record of over 28,000 for Europe and U.S. and around 75,000 across the globe[6] – carries with it the emerging difficulty to ensure efficiency and foster integrity in the field. Heavier penalties to be imposed on companies for non-compliance can impact on how companies will hire competent DPOs and how DPOs will maintain integrity and a vigilant character in performing their duties.

As a preemptive measure to prevent conflict of interest, it is the obligation of the controllers and processors to effectively communicate to their personnel, the designation of the DPO and his or her functions. The guidelines in the DPA is clear. The PIC and PIP must allow the DPO to be involved from the earliest stage possible in all issues relating to privacy and data protection. Sufficient time and resources must be provided to keep them updated with the developments in data privacy and security. At the onset, the DPO shall have appropriate access to the personal data it is required to process, including the processing systems. Where applicable, the PIC and PIP shall also invite the DPO to participate in meetings of senior and middle management to represent the interest of privacy and data protection. Prompt consultation with the DPO must be done in the event of any personal data breach or security incident. Finally, the DPO must be a part of all relevant working groups that deal with personal data processing activities conducted inside the organization, or with other organizations.

Some of the best practices observed in countries that have DPO requirements prior to the GPDR, such as Germany and the Philippines, include means to ensure that the designated DPO has excellent management skills and the ability to easily interact with internal staff and the authorities.[7]

Being an effective and reliable DPO entails the ability to consistently ensure internal compliance and alert the authorities of non-compliance while understanding that the company could be subjected to hefty fines. Regardless of whether or not DPOs are employees of the controller and processor, they should maintain accountability and independence.

[1] https://www.rappler.com/technology/news/205276-gpdr-philippines-security-practices-trend-micro-report

[2] https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance

[3] RA 10173

[4] https://privacy.gov.ph/appointing-a-data-protection-officer/

[5] Id.


[7] Id.

Disini & Disini Law Office