Companies ordered to designate Data Protection Officers
Chief executives of public and private organizations who process personal information must designate their own Data Protection Officers (DPOs), the National Privacy Commission (NPC) urged.
Specifically, those who have not yet complied with the Data Privacy Act of 2012 should immediately appoint a DPO to signify their "commitment to comply" with the law, stressed NPC Chairman and Privacy Commissioner Raymund Enriquez Liboro.
"Personal data handling is a public trust and carries with it a burden of accountability. No amount of ignorance or legal naiveté can erase that accountability," he reiterated.
"If you process a lot of personal data, you could be a disaster waiting to happen, if you fail to apply the principles provided in the law."
The DPO sees to it that the organization abides by data privacy principles, implements physical and technical security measures as well as upholds the rights of data subjects - protecting their data from collection and storage to sharing and destruction.
Providing the subjects access to their personal data and giving instructions on how they can object to processing and obtain relief when needed is part of the DPO’s job.
“For Micro Small and Medium Enterprises (MSMEs) that process personal data, the DPO can even be the business owner,” according to Liboro. “What is important is developing a culture of privacy within their organization and ensuring their employees are aware of data privacy principles.”
So far, the NPC cited state agencies compliant with the Data Privacy Act with designated DPOs, among them, the Department of Health (DOH), Philhealth, the Department of National Defense, the National Economic Development Authority (NEDA) and the Metro Manila Development Authority (MMDA).