THE National Privacy Commission (NPC) has reiterated that chief executives of public and private organizations that process personal information must designate their own data-protection officers (DPOs).
NPC Chairman Raymund Enriquez Liboro said organizations that have yet to comply with the Data Privacy Act of 2012 should immediately appoint their own DPO. Liboro said the DPO would be accountable for ensuring compliance as regards everything related to data privacy and security.
Officially designating a DPO signals an organization’s “commitment to comply” with the law, he said in a statement.
“Personal-data handling is a public trust, and carries with it a burden of accountability,” Liboro said. “No amount of ignorance or legal naiveté can erase that accountability.”
Liboro explained that the Data Privacy Act of 2012 is about making sure “those we entrust with our personal data are actually trustworthy by compelling them to do everything they can to protect it.”
“If you process a lot of personal data, you could be a disaster waiting to happen, if you fail to apply the principles provided in the law,” the privacy commissioner said.
In Section 21 of the Data Privacy Act of 2012, the DPO is defined as an “individual or individuals who are accountable for the organization’s compliance” with the privacy law, so designated by the organization in the exercise of its duty as a “personal information controller,” or PIC.
This requirement is echoed in the law’s implementing rules and regulations (IRR), under Section 26, which states that such individuals “shall function as data protection officer” and would “be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.” “The DPO is essentially tasked to champion people’s privacy rights from within his or her organization,” the NPC statement said.
“In so doing, the DPO is able to minimize the risks of privacy breaches, address underlying problems, and reduce the damage arising from breaches if and when they do occur. Complying with the law produces a lot of upside.”
Showing the public your commitment to protect their personal data, lead to increased consumer trust and, thus, higher patronage, Liboro said.
“What is absolutely required of the DPO is willingness to understand information security and privacy principles and the capability to monitor compliance based on the law,” he added. “Or in short, he or she has to be an advocate for privacy rights of the data subject.”
The privacy body issued the statement after saying the Commission on Elections failed to designate an accountable officer for data privacy, as required under Section 21 of the Data Privacy Act.