3 minute read
The Data Privacy Act of 2012 (DPA) is a Philippine law that aims to protect the personal information of individuals and ensure the responsible use of such information by organizations. To comply with the DPA, organizations should follow these five pillars:
A DPO oversees an organization's compliance with data protection laws and regulations, particularly the DPA. The DPO should be a person who is knowledgeable about data protection practices and can ensure that the organization is compliant with the DPA.
A PIA is a process of evaluating the potential impact of an activity or system on the privacy of individuals. It helps organizations identify and assess the privacy risks associated with the collection, use, and disclosure of personal data and implement appropriate measures to mitigate these risks.
A PMP is a set of policies, procedures, and practices that an organization puts in place to ensure compliance with the DPA and protect the personal data of individuals. The program should outline the organization's data collection, use, and protection practices, as well as the roles and responsibilities of employees concerning data protection.
Organizations should implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, or destruction. It includes measures such as encryption, secure servers, and access controls.
Organizations should establish procedures for handling data breaches, including notification of affected individuals and authorities as required. It includes identifying the causes of the breach, taking steps to prevent similar occurrences in the future, and providing appropriate support to affected individuals.
A Data Protection Officer (DPO) oversees an organization's compliance with data protection laws and regulations, particularly the Data Privacy Act of 2012 (DPA). As such, the DPO should be someone knowledgeable about data protection practices and can ensure that the organization is compliant with the DPA.
There are no specific requirements in the DPA regarding who can or cannot be appointed as a DPO. However, it may not be appropriate for someone with a conflict of interest—such as a personal or financial stake in the organization's data collection, use, or protection practices.
Human Resources (HR), Information Technology (IT), or legal departments may have conflicting roles or responsibilities that may interfere with their ability to fulfill the role of DPO. For example, HR may be responsible for managing employee personal data and may have a vested interest in collecting, using, and sharing this data for various purposes. Similarly, IT is usually responsible for managing and protecting the organization's data systems—it may not be able to police itself objectively. There may be a potential conflict of interest if someone from legal is appointed as the DPO, as their primary role is to provide protection and representation to the organization. Doing so may create the perception that the DPO is more focused on protecting the organization's interests rather than ensuring compliance with the DPA and protecting the personal data of individuals.
The general recommendation is to give the authority to implement and enforce the organization's data protection policies and procedures to an independent and objective individual with the necessary knowledge, skills, and expertise for the DPO role. A data protection team or office may also be formed, depending on the size and complexity of the organization.
Outsourcing the DPO role can be a practical solution for an organization that does not have the resources or expertise to appoint and manage a DPO internally. The organization can access the necessary expertise and support without hiring and training a dedicated C-level employee.
Selecting a reputable and qualified third party ensures that the DPO can fulfill its responsibilities to the highest standards.