Registration of data protection officers (DPOs)
I have written about Data Privacy Protection twice and will focus on it again because every company and manager will be affected by the Data Privacy Act of 2012 (DPA) – whether you like it or not. Please take note that personal information controllers and personal information processors must register their data processing systems and automated processing operations with the National Privacy Commission (NPC). The NPC has set two phases with deadlines:
* Phase One – the registration of a Data Protection Officer (DPO) on or before Sept. 9 (which was two weeks ago); and
* Phase Two – the registration of data processing systems and automated processing operations on or before March 8, 2018.
DPOs are rare species!! It will be essential to train compliance people into becoming DPOs. This is one of the tasks the EITSC – www.eitsc.com – will undertake with priority.
The DPO shall be accountable for ensuring compliance by the company of data privacy laws and regulations. He or she must be a full-time or part-time, organic employee of the personal information controller or personal information processor and should ideally be holding a regular or permanent position. Where the employment of the DPO is based on a contract, the term and duration thereof should be at least two years to ensure stability.
The DPO should have expertise in relevant privacy or date protection policies and practices. He or she should have sufficient understanding of the processing operations being carried out by the personal information processor including the latter’s information system, data security, and data protection needs. The DPO must have useful knowledge of the sector or field of the personal information controller or personal information processor, and the latter’s internal structure, policies and processes.
Let me be very clear: Data privacy protection is not limited to large companies; all companies including SMEs fall under the jurisdiction, which includes heavy fines and imprisonment if severe data breaches are incurred and non-compliance or negligence can be proven.
How can an organization comply:
* Step 1: Appoint a DPO
* Step 2: Conduct a Privacy Impact Assessment (PIA) – a PIA is a process undertaken and used by a company to evaluate and manage the impact of its program process and/or measure on data privacy
* Step 3: Create a Privacy Management Framework – which serves to align everyone in the organization in the same direction, to facilitate compliance with the DPA and issuances of the NPC, and to help your organization in mitigating the impact of a data breach.
* Step 4: Implement Privacy and Data Protection Measures – laid out in your privacy and data protection policies.
* Step 5: Exercise Breach Reporting Procedures – upon the discovery of a personal data breach, or reasonable suspicion thereof, it is important to conduct an initial assessment of the breach to mitigate its impact, and to notify both the affected data subjects and the NPC within 72 hours of discovery.
* Step 6: Register your company with the NPC – Registration with the NPC is up-to-date and contains all necessary compliance documentation.
We are planning to bring a Data Protection Workshop to Cebu in early October. For information on the event and on DPO training contact Schumacher@ eitsc.com