What you should know before choosing a DPO
Have your company named its Data Protection Officer (DPO)? I realize that many companies are in a quandary on who to pick as the DPO. The Data Protection Act, as well as the National Privacy Commission’s (NPC) Advisory No. 2017-01 on the designation of Data Protection Officers, describes the responsibilities of the DPO but only specifies general qualifications for the job (i.e., “expertise in the relevant privacy or data protection policies and practices”).
“Should the DPO be a lawyer?” This is one of the first questions I encounter. One article by the International Association of Privacy Professionals has stated that it may be preferable to name a lawyer as the DPO. Why? This is because the DPO will need a working familiarity with the Data Privacy law and legal concepts in general as s/he has to ensure that the company is compliant. But in some instances, having a lawyer as a DPO may not be ideal. For instance, if the company’s operations involve a lot of technology, it may be better to have someone with a technology as a background as the DPO. Case in point is Globe Telecoms, which names its Chief Information Officer as its DPO. In a forum, I have also heard a NPC representative suggest that an internal audit or control officer may be considered for the DPO position as well.
In any case, the NPC has cautioned against naming an officer whose position will have a conflict-of-interest with the responsibilities of a DPO. Note that there may be some instances when a DPO will lead investigations on security incidents or data breaches. A DPO whose functions include direct ownership of data safekeeping may not be effective in conducting such an investigation.
Some companies are probably considering outsourcing the function of a DPO to a consultant or external counsel. Is this possible? The answer is no. The NPC rules state that a DPO should be a full-time or organic employee of the company. This means that consultants, project employees, or casual employees cannot be designated as DPOs. A company may, however, opt to search outside the organization for a DPO and hire one under contract. The NPC rules state that, to ensure stability, the employment contract of a DPO should be for at least two (2) years. The requirement of a full-time or organic DPO is different from other jurisdictions, where engagement of an external consultant is allowed.
I believe that the NPC though is correct is making this a requirement for the following reasons:
The DPO is tasked not just with advising the company on compliance with the DPA but, more importantly, in ensuring that the company is compliant. An external DPO may not have sufficient authority to ensure that his/her instructions are carried out, and that penalties are imposed upon those who do not. The external DPO may also not have access to all data and personnel of the organization and, thus, will be forced to rely on representations of management on the status of compliance.
A DPO should have extensive working knowledge of the business operations. Only then will s/he be effective in designing and implementing the company’s privacy management program. In the same vein, only a DPO who knows the business operations will be able to make a competent review of the data processing practices of the company.
Once designated, a DPO takes on awesome responsibilities. Aside from a mandate under the law to ensure the company’s compliance with the DPA, the DPO may be vulnerable to criminal and other liability in case of a violation of the DPA. The rules state that the NPC has the power to recommend the prosecution of persons who participated in or, as a result of their negligence, allowed commission of crimes under the DPA. For this reason, a person designated as a DPO would benefit from having liability insurance, similar to what board directors and other company officers get, to ensure that he is amply protected while in the performance of his duties.