You will agree with me that the global pandemic has sped up the process of digitalization and transformed the landscape of the economy in 2020. Many of my friends moved into e-commerce and are looking forward to expanding their entrepreneurial business in 2021, assuming that consumers will not dramatically change their habits in the year to come.
Many businesses had no choice but to embrace online transactions and digital solutions as part of their effort to survive. Managers understood that data management became super important, from data collection to data analysis. However, what happened in the bid to quickly digitalize their business, they neglected efforts to build data protection aspects into their operational controls. Hackers and other malicious agents are waiting for an opportune time to take advantage of these situations and steal customer or employee data from these businesses.
Having partnered with Straits Interactive Pte Ltd. years ago to drive data privacy protection and introduce Straits interactive excellent software solutions for data protection, we join Straits Interactive CEO and Founder , Kevin Shepherdson in highlighting the career that is quietly but surely on the rise, the one of the Data Protection Officer (DPO).
First and foremost, a DPO’s task is to assist the organization to govern how personal data is being collected, used, disclosed, or stored within an organization according to the requirements of relevant data protection laws, like the Data Privacy Act in the Philippines.
From an operational perspective, the responsibilities of the DPO and key players in the organization are to:
• Assess the risks relating to the processing of personal data and this includes conducting a data protection impact assessment (DPIA).
• Protect the organization by developing a data protection management program (DPMP) against these identified risks. This includes implementing policies and processes for handling personal data.
• Sustain the above compliance efforts by communicating personal data protection policies to stakeholders including training; conducting audits, as well as ensure the ongoing monitoring of risks.
• Respond and manage personal data protection related queries and complaints, as well as liaising with the data protection regulators (local and/or international) on data protection matters, especially if there is a data protection breach.
As we head into the New Year, here’s a reminder that data protection never stops. In outsourcing work that involves personal data, the question arises whether you, involved in the BPO industry, have assessed your risks and mitigated them through contracts that you have with your data intermediary (DI)?
A DI is subjected to the Data Protection Provisions relating to the protection of personal data (Protection Obligation) and retention of personal data (Retention Limitation Obligation) when processing personal data on behalf of the Data Controller (DC) and for the DC’s purposes. This is all part of the Cross-Border Data Protection Rules that exist with the European Union, the US and Apec. It was good that the Philippines joined the Apec Cross Border Protection Rules (Apec CBPR) system but—unfortunately—has not supported the establishment of Accountability Agents (AA) yet. AAs are needed to certify companies involved in cross-border transfers of personal and sensitive data, establishing that the data given to these companies is well protected. The question remains when the National Privacy Commission will finally get its work done to set the rules for the establishment of badly needed AAs.
Finally, given the importance of data protection at a time when pandemic forces organizations to gather health information on tracing and very soon on vaccination, we are running regular webinars on “Data Privacy & Protection made simple.” We offer the online DPOinBOX platform to equip professionals, managers and executives with the competencies to perform their jobs in data protection. The DPOinBOX is not only assisting in the compliance with the Philippine Data Privacy Act but also with the EU’s General Data Protection Regulation (GDPR).
If assistance is needed or demos on the automation of data privacy protection processes are desired, contact me at schumacher@eitsc.com