Data protection officer

When I cursorily survey senior business executives about their preparation for the impending September 9 deadline to submit their compliance with RA 10173 (or the Data Privacy Act of 2012) to the National Privacy Commission (NPC), some confidently say they are ready, most retort with a shrug, while a significant few others express total ignorance of the deadline.

According to the law, which was signed August 15, 2012 and became effective September 8 of the same year, organizations that employ 250 people or handle more than 1,000 customers in their database should register their compliance with the NPC on or before the said deadline.

But apparently, a lot of organizations have much catching up to do to make it to the deadline; and this, despite the commendable and immense efforts of the NPC and business organizations such as the Financial Executives Institute of the Philippines (FINEX) and the Management Association of the Philippines (MAP) to educate business owners and executives. There is just not enough leeway to spread awareness among all concerned organizations.

The awareness needs to center on five key steps that organizations have to take to begin their journey toward compliance with the Data Privacy Act (DPA), as urged by the NPC:

Appoint a data protection officer (DPO). To be appointed by a personal information controller, DPOs will be accountable for ensuring compliance with applicable laws and regulations relating to data protection and privacy.
Conduct a Privacy Impact Assessment to evaluate and manage the impact of the company’s program, process and/or measure on data privacy.

Create your Privacy Management Program to align everyone in the organization in the same direction, to facilitate compliance with the Data Privacy Act and issuances of the NPC, and to help your organization in mitigating the impact of a breach.

Implement your Privacy and Data Protection measures, which must continuously be assessed, reviewed and revised as necessary, while training must be regularly conducted.

Exercise your Breach Reporting Procedures regularly. The NPC and affected data subjects shall be notified by the personal information controller within 72 hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. The personal information controller shall notify the NPC by submitting a report, whether written or electronic, containing the required contents of notification. The report shall also include the name of a designated representative of the personal information controller, and his or her contact details.

The importance of the appointment of a data protection officer, as the first commandment of the DPA cannot be overemphasized, as they will own the compliance of the organization. Many CEOs I spoke with have appointed their risk management officers as the de facto DPO.

But increasingly, there have been job postings for a DPO in Linkedin over the past month. Typical qualifications that organizations look for include a background in both law and information technology, a hard-to-find combination, with relevant experience in managing data processing systems and handling compliance audits. |

Interestingly, one job posting says “able and willing to perform the responsibilities and assume risks of a DPO;” and why? Organizations that will not comply with the DPA will face sanctions and penalties, which range from one year to six years’ imprisonment, and a fine of not less than P500,000 and not more than P5 million, depending on the violation.

We hope that the NPC extends the compliance deadline to a later date to allow organizations to prepare and ultimately comply. In this information age, compliance with data protection regulations is considered by organizations as a competitive advantage in their business operations.

The opinions expressed here are the views of the writer and do not necessarily reflect the views and opinions of FINEX. The author may be emailed at The author is co-founder and counsellor of Caucus Inc, a data privacy and business consulting firm. He is the chairman of the ICT Committee of the Financial Executives Institute of the Philippines (FINEX). He teaches strategic management in the MBA Program of De La Salle University. He is also an adjunct faculty at the Asian Institute of Management.