Outsourcing the Data Protection Officer’s functions
This is a follow-up to my post “What you should know before choosing a DPO”.
As I noted in my earlier post, National Privacy Commission (NPC) Advisory No. 2017-01 states that the Data Protection Officer (DPO) or the Compliance Officer on Privacy (COP) should be a full-time or organic employee of the personal information controller (PIC) or the personal information processor (PIP). However, if you head to the NPC website, you’d see that in the page Appointing a Data Protection Officer that you can outsource or sub-contract the functions of a DPO or COP.
Say what again?
Upon second reading, you realize that what is allowed is outsourcing of the functions of the DPO or COP. To be clear, this means that while you should name a DPO/COP who is a full-time or organic employee, the functions of said DPO may be outsourced. In consonance with the provisions of Advisory 2017-01, the DPO will still be ultimately responsible for the PIC/PIP’s compliance with the Data Privacy Act (DPA), notwithstanding that the functions have been outsourced.
We can certainly see the wisdom in outsourcing the functions. Expertise on data protection and compliance with data privacy regulations is not generally available locally. The DPA is only now being implemented in earnest and there is a dearth of data privacy professionals. While some multinational corporations operating locally do have internal data protection policies as required by their home jurisdictions, there will still be some differences in these internal policies and in the DPA regulations. After all, the NPC’s approach on some data privacy requirements may differ from the approach in other jurisdictions.
Another consideration is the fast-approaching deadline set by the NPC for compliance with the DPA requirements. PICs/PIPs may not have the luxury of having internal personnel familiarize themselves with data privacy concepts and regulations as they race to meet the deadline. For these PICs/PIPs, an approach to take may be to name an external consultant as a co-project manager (Yes, I think it would be a very good approach to treat the whole of the compliance initiatives as a project to be undertaken by the whole organization. Ideally, the project team would be cross-functional, with representatives of key data processing units of the company as members. This way, the work is not done on an ad hoc basis and the perspective in implementing the policies is wholistic.).
Whatever approach the PIC/PIP decides to take, it is important to ensure that the DPO/COP works closely with the consultant to whom the DPO functions are outsourced. After all, the DPO will still be ultimately responsible, both to the company’s Board of Directors as well as to the NPC, for compliance with the DPA. Moreover, the consultant will most probably not have enough familiarity with the PIC/PIP’s operations. Finally, the consultant will not have the authority to compel the PIC/PIP’s personnel to follow his/her directives. These last two considerations are crucial to the success of any privacy management program development.
Have questions about this post? Send me a message and I'll be happy to discuss this further with you.