News, insights and resources for data protection, privacy and cyber security leaders

Philippines: To Be or Not To Be a Data Protection Officer (DPO)

To be or not to be a data protection officer – this is indeed the question on many a company officer’s mind as the deadline for Phase One Registration under the Philippine Data Privacy Act of 2012 (DPA) – September 9, 2017 – draws near.

The DPA requires personal information controllers (PICs) and processors (PIPs) to appoint a data protection officer or DPO, the person charged with the task of ensuring that the PIC/PIP is compliant with DPA regulations. One of those requirements (under certain conditions) is registration of a PIC’s (or PIP’s) data processing system with the National Privacy Commission of the Philippines. The aforesaid Phase One does not seem to be too painful: it just requires the submission of a completed registration form together with some basic corporate documents.

But the form needs to provide information about, and should be signed by, the DPO and there’s the rub. While some would-be registrants have immediately found candidates, others are scrambling to appoint theirs.

 

What does it take to be a data protection officer?

In an advisory focused on the qualifications of a data protection officer (NPC Advisory No. 2017-01), the National Privacy Commission noted that a data protection officer must be a full-time or organic employee of the PIC or PIP, although exceptions are contemplated — where “otherwise allowed by law” or allowed by the commission. For example, a group of related companies may lawfully appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. This, however, must be approved by the commission, and if so allowed, the other group members must still have a compliance officer for privacy (COP) – essentially the DPO’s side-kick. The advisory also informed organizations that the commission can approve the appointment of a COP rather than a DPO in “analogous cases”.

The National Privacy Commission also has noted that the data protection officer ideally should be a regular employee, and “[w]here the employment… is based on a contract, the term or duration thereof should at least be two years.” However, based on the commission’s advisory, it appears that the commission will not accept as a DPO, consultants and project employees. This seems to leave, as an alternative to a regular employee, a fixed-term employee.

Do DPOs have to be Filipinos? There is no requirement at present, unless the PIC or PIP is subject to a nationality restriction that may prohibit officers or employees from being foreign nationals.

Do they have to be Philippine residents? Again, there is no requirement at present, although having a foreign-based employee may present practical difficulties, among them that the commission may nevertheless require the PIC or PIP to have a locally based COP.

 

Double duty – Conflict of interest for DPOs

PICs and PIPs have been searching closer to home for data protection officers, with the plan of having a current employee act as DPO while discharging that person’s current functions. But this triggers another common challenge. While a DPO is not prohibited from occupying another post or discharging other functions, that post or those functions should not conflict with the privacy law mandate of the DPO. The advisory states that there is a conflict of interest when the other functions of the DPO “leads him to determine the purposes and the means of the processing of personal data.” Thus, PICs/PIPs who had naturally turned to IT heads and HR officers have had to re-think their initial choices.

Rose Marie King-Dominguez

Rose Marie King-Dominguez is a senior partner of SyCip Salazar Hernandez and Gatmaitan. She is a member of the firm’s Special Projects, and Banking, and Finance and Securities departments. She is an M&A and investments specialist, and helps lead SyCiplaw’s Telecommunications, Media and Technology group. She is also one of the firm’s data privacy experts and currently advises a number of organizations in different industries on privacy issues, helping them to establish or run their compliance programs. She has also been advising foreign companies on the impact of the local privacy laws on their operations or interests in the Philippines. She has been cited in the 2017 The Legal 500 Client’s Guide to the Asia Pacific Legal Profession as a leading individual in TMT, and in Who’s Who Legal: Telecommunications Media and Technology 2017.

Latest posts by Rose Marie King-Dominguez

    Leave A Reply

    Your email address will not be published.

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This