Data privacy 101: What’s a data protection officer?
We live in an era when personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.
To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task.
The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about a key figure in the equation: the Data Protection Officer, or to explain in the simplest terms, the person responsible for ensuring that a company is compliant with the DPA
Q: What is the reason behind the requirement to appoint a DPO under the law?
Ivy: The requirement to appoint a Data Protection Officer (DPO) is under the principle of accountability in the DPA. Regulations across jurisdictions have emphasized accountability as a core principle of data protection.
More than just providing a declaration of rights of data subjects, regulations now focus on the corresponding obligations of all those who process personal data to ensure adherence to data privacy principles and implementation of safeguards for data protection. They must be able to demonstrate compliance with existing regulations.
The designation of an individual to be accountable for compliance with the DPA is understood to be a means of showing the existence of a governance structure within an organization that is conducive to cultivating a culture of privacy. The position of the DPO within an organization, the scope of his or her responsibilities, and the reporting lines available to him or her all reflect the privacy strategy being implemented by that organization.
That said, having a DPO should not be viewed as the end-all of governance. At the most, perhaps, it will enable one to tick the first of many boxes that make up the NPC’s compliance and accountability framework. If the DPO is unable to perform his or her functions, the designation will amount to nothing but paper compliance.
Ideally, having a DPO in place should herald the changes in an organization, which should include top management involvement in data protection, the establishment of an internal data privacy network, and allocation of resources for the DPO to perform his or her responsibilities. Everyone else involved in processing personal data also have roles to play in the organization’s journey towards compliance and accountability.
Q: What is the ideal role of a DPO?
Ivy: The DPO is an organization’s privacy conscience whose role is to assist the organization in meeting the requirements of accountability.
This means the DPO primarily monitors the organization’s compliance with the DPA, providing information and advice on issues that relate to data protection. He or she should be knowledgeable on privacy and data security, and must understand the data processing activities of the organization.
Wide latitude must be given, allowing the DPO to perform his or her functions independently. Among the things the DPO should be equipped to do include ensuring the conduct of privacy impact assessments, proper security incident management, and providing guidance on managing the organization’s relationships with internal and external stakeholders, including the NPC.
For more information, one can refer to NPC Advisory No. 17-01, which provides guidelines on the proper designation of a DPO, including the functions he or she is expected to perform.
Q: Have companies and government agencies conveyed any difficulties they’ve encountered in complying with this requirement?
Ivy: Yes. Among the challenges raised by both the private and public sectors, there is perhaps nothing more common than those arising from having the duties of a DPO assigned to an individual already burdened with other responsibilities within the organization.
Naturally, this means additional duties for that person, without any commensurate increase in compensation or other benefits. As a result, very few people take on the role willingly. Worse, many are overcome by the fear that should there be a privacy violation or a data breach in the organization, he or she, as DPO, will be primarily liable.
On this last point, I think it is worth emphasizing that the fear is unfounded because the obligations under the DPA are imposed not on the DPO but on the entity in control of the processing of personal data. That means the organization, as a whole. Meanwhile, on the part of NPC, our advocacy for the creation of separate plantilla positions for DPOs in government has so far been unsuccessful.
Another common grievance involves the confusion as to the need for a DPO. Unlike in the European Union, for example, where having DPO is not required for all organizations by their General Data Protection Regulation (GDPR), our DPA makes it mandatory.
Even today, there remain organizations who mix up the requirement of appointing a DPO with the requirement for registration of data processing systems, which is a separate compliance element. To clarify, an organization processing personal data may not be required to register its data processing systems with the Commission, but it will always be required to designate a DPO.
Other matters that have been frequently raised include: a) the concept of having a common DPO for a group of companies; b) whether a DPO can be external to an organization, or physically based outside the country; and c) allowing the appointment of a lone DPO by an agency composed of different functional divisions with complex data processing operations.
In addressing these cases and other similar issues, an organization would do well to remember the principle of accountability. When designating a DPO, your primary consideration should be whether the person will be capable of performing his or her duties effectively and efficiently so as to ensure the protection of individuals and their personal data.
As such, other factors that need to be taken into account include the DPO’s accessibility, the amount of resources at his or her disposal, and the existence of an internal privacy network that can provide support when necessary.
Q: Can you give some background about your post as DPO, including your office?
Jam: As data protection officer of a university, I head its data protection office with the rank of director. I am joined by four other individuals – five as soon as we are able to fill up the post of deputy DPO.
The office was formally established almost a year ago, coinciding with my appointment. It operates directly under the supervision of the university president. This, notwithstanding, it is accorded considerable autonomy by the school when conducting its affairs. These characteristics, together with a few others, make the setup consistent with the recommendations of NPC Advisory No. 17-01.
The jurisdiction of the office is broad. The university has several campuses, with over a hundred different operating units and offices. As one would expect, each one maintains data processing systems, all of which the office needs to keep in check. This also means the number of stakeholders whose rights we need to look after is quite substantial.
Q: What are your roles and functions as DPO within the organization?
Jam: At the moment, the data protection office has four key areas of operation: compliance, capacity-building, advisory, and incident management.
1) Compliance. This proceeds mainly from the directive of the DPA requiring every entity processing personal data to have someone in charge of its compliance obligations vis-à-vis the law. In our case, specific tasks like registering the university’s data processing systems, or submitting its annual security incident report, are the office’s responsibility.
2) Capacity-building. A lone person (or even office) is rarely enough to handle an organization’s compliance obligations. Thus, a DPO should also spend time on capacity-building to ensure that other units and offices, especially their personnel, are familiar with the fundamental concepts and principles of the DPA.
Within the university, we plan to achieve this via policies and procedures, forms and templates, as well as information awareness campaigns.
3) Advisory. For the office, this role effectively translates to two main tasks: 1) answering queries relating to data privacy; and 2) reviewing policies and other documents that impact or involve the processing of personal data, as referred to us by other units and offices.
4) Incident Management. The office acts on any reported security incident and makes the necessary notifications, if warranted by circumstances. We also address complaints raised by people whose personal data are with the university, including instances when they wish to exercise their rights under the DPA.
Q: Can you share some of the difficulties you’ve experienced in your work?
Jam: There are many challenges to the work of a DPO, with some more obvious than most. Among those I’ve encountered, not just in my work for the university, but also when assisting other organizations include:
1) Lack of familiarity with data privacy. Even now, many Filipinos are still unaware of data privacy, let alone the intricacies involved when trying to comply with the DPA.
This results in all sorts of problems ranging from the difficulty in finding qualified people to join a data protection office, to other people in the organization failing to comply with the instructions of the DPO, to traditional law and consultancy firms providing erroneous advice to their clueless clients.
2) Outdated or non-existent policies and practices. There is bound to be resistance from parties who are used to complying with policies rendered obsolete by the DPA – or worse, those who have been allowed to operate all this time with little to no regard for the protection of the personal data they handle. They see data protection as nothing more than an additional burden they should avoid, whenever they can.
3) Poor internal housekeeping. Establishing an enterprise-wide privacy program is difficult enough for any DPO. Doing it for companies who do not have clear process flows or operational guidelines, have poor documentation, and feature offices and positions with overlapping functions, is quite the nightmare scenario.
To avoid causing disruption to the business of an organization, it is ideal for data protection measures to be simply embedded into existing systems. This would be impossible if no such systems exist, in the first place.
Q: What does the future hold for DPOs?
Ivy: The future looks good for DPOs. Their profession is certain to emerge as a distinct field of specialization. We live in a world where information is a game-changer. That said, progress that is not founded on the protection of individuals and basic rights is nothing but illusory.
For this reason, DPOs should take their role seriously when they ensure the protection of the individual in this increasingly data-driven environment. It won’t be long before this is offered as a bachelor’s degree in universities, and included in electives and advanced programs.
This is in addition to ongoing developments of many independent programs already available for aspiring privacy professionals. As far as the NPC is concerned, the agency is looking to become the primary knowledge center in this field, providing DPO trainings and certifications, including those specifically designed for training providers.
Jam: The DPO will continue to develop as a unique professional role within an organization. With a number of institutions now offering certification programs, it won’t be long before universities and colleges come up with formal courses, too. The introduction of data science programs just these past two years is already a good sign.
For now, though, I can only commiserate with the others also occupying this role who are clueless regarding how exactly they should be fulfilling their mandates. If I can still feel like a novice even with more than half a decade’s worth of data privacy work under my belt, what more for those just thrust into the position, with no inkling whatsoever about the amount and type of work it entails.
That said, I take comfort in the hope that things will get easier as long as one gives the job enough focus and effort, coupled with the support of a growing community of peers. – Rappler.com
Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011.
Statements of the individuals here are not official positions of their respective affiliations.