Business Startup Legal

Appointing a Data Protection Officer

Published on December 10, 2022 | Updated on March 20, 2023

Bianca Cruz linkedin profile

The National Privacy Commission (NPC) requires the registration of entities that are considered to be personal information controllers (PICs) or processors (PIPs) to enforce Philippine data privacy regulations.

 

Every organization is required under the Data Privacy Act's Implementing Rules and Regulations to appoint a Data Protection Officer (DPO). It is necessary if you are a natural person, a juridical person, or a business that works in the public or private sector and processes the personal data of individuals both inside and outside the Philippines. 

 

What is a Data Protection Officer?

The DPO is responsible for ensuring that the PIC or PIP complies with the Data Privacy Act (DPA). Monitor and manage the data protection risks of the company in compliance with DPA's implementing rules and regulations (IRR), any directives issued by the NPC, and all other relevant laws


When are you required, and when is optional but ideal?

According to the Data Privacy Act–whether an entity is a PIC or PIP, it should hire a Data Protection Officer. Especially if its primary activities involve the processing of sensitive data on a large scale or regular and systematic monitoring of individuals such as:

  • Hospitals processing data

  • Security agencies etc.

  • Logistics tracking orders, payments, and addresses 

 

Duties and responsibilities of a DPO?

DPOs have an important role in accountability, and they help organizations comply with rules and regulations. The responsibilities of a DPO often include, but are not limited to:

  • Comply with data privacy laws and regulations

  • Train and educate any staff members that are involved in processing activities

  • Preventing any legal, financial, and operational risks in processing personal information

  • Establishing practices and developing policies that comply with domestic and international standards

  • Maintain the records of processing operations

  • Inform the PIC or PIP about complaints and the use of data subjects' rights (e.g., requests for information, clarifications, rectification, or deletion of personal data)

  • DPO must collaborate, coordinate, and seek the NPC's assistance regarding data privacy and security issues.

 

General Qualifications of a DPO

The DPO must have the specialized expertise and competence required to perform its duties. The DPO should know relevant privacy or data protection policies and procedures. The appointed DPO must be thoroughly aware of the PIC's or PIP's processing needs, particularly those related to information systems, data security, and data protection.

 

Employment of DPO

The DPO position in the government or public sector can either be a career or an appointive position. While in the private sector, the DPO should ideally hold a regular or permanent position, and in cases when a contract supports the DPO's job, the period or duration of the employment should be at least two (2) years.

 

The PIC or PIP should make arrangements for the appointment or reappointment of the DPO's replacement within a reasonable period if the position becomes vacant. 

While following the internal regulations or the relevant contract terms, the current DPO may also be required to remain in the position until the appointment or hiring of a new DPO.

 

To simplify, organizations can better comply with the strict deadlines for reporting occurrences if they have a DPO to handle breach reporting. If you experience a data breach, they are in charge of creating a plan and handling the reporting procedure. They also maintain this plan updated to reflect any changes to the business operations. 


What is the penalty for data breaches?

The NPC will impose administrative fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the yearly gross income of the PIC or PIP that committed the offense, depending on how serious or substantial the violation was. 

 

Other violations, shall be subject to an administrative fine of not less than Php 50,000.00 but not more than Php 200,000.00. (Php 200,000.00)
 

If you are still thinking about whether you should appoint a DPO for your business, you may reach out to our Legal experts or find more startup business resources at Digest.ph

Digest AI