Updated: Feb 27, 2020
The Data Privacy Law was enforced 2 years ago. Most organizations today, find themselves still struggling at complying with the Data Privacy Law. So, what can management do to gain compliance status now and avoid the heavy fines and penal sanctions for being non-compliant?
The first requirement of the Data Privacy Law is to appoint a Data Protection Officer (DPO). And most companies concerned with compliance have indeed, appointed their DPOs. But after appointing the DPO, what happens next?
The appointed DPO has to be trained and oriented on the Data Privacy Law, its Implementing Rules and Regulations (IRR), advisories, circulars and other issuances by the National Privacy Commission (NPC), the government body created to oversee the implementation of RA 10173, otherwise known as the Data Privacy Act of 2012 (DPA2012) effective September 2017.
Why would the appointed DPO need training on DPA2012? Because the DPO needs to know, specifically what the unique and novel data protection requirements of the Data Privacy Law are, before taking the first step towards introducing the change effort. More importantly, the DPO needs to understand the politics and the change management issues to address when trying to change a whole company (all employees and systems) to comply with the law as embracing and sensitive as the DPA2012.
This is a tall order for any appointed DPO, especially without the necessary training and experience in carrying out risk assessments and documenting privacy policies and procedures. As DPA2012 is a new law, there are no past experience or “best practice” that the DPO can model the company’s compliance. This means that the DPO has to learn his job from reading and taking a cue from the DPA2012 IRR, the toolkits, advisories, and circulars as issued by NPC, as best he can. As for the actual implementation, the DPO will have to get guidance from systems people who have had extensive experience in implementing various HR and other corporate IT systems in the past.
To stress the importance of having the needed skills for a DPO, NPC recommends (NPC Advisory No. 2017-01) that “the DPO should possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities. As such, the DPO should have expertise in relevant privacy or data protection policies and practices.” Unfortunately, this qualification was not a prerequisite management imposed when appointing their DPOs.
In the same advisory, NPC recommends that the “DPO should also have sufficient understanding of the processing operations being carried out by the organization, including its information systems, data security and/or data protection needs.”
Since most management was not aware of the above qualifications for appointing their DPOs, any delay and inability of companies to comply soonest could be attributed to inadequate training and support, badly needed by the DPO and/or the privacy team.
Management may want to heed the NPC list of “Obligations” of the organization to its DPO. One obligation particularly addresses the issue of training and support. It states that: the organization should “provide sufficient time and resources (financial, infrastructure, equipment, training, and staff) necessary for the DPO or Compliance Officer on Privacy (COP) to keep himself or herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently.”
Is your management providing “sufficient time and resources” to keep your DPO updated with what the DPO needs to get the company data privacy compliant… soonest?
Let PVPI help you start or restart your DPO and privacy team towards becoming data privacy compliant… soonest.
Attend our workshop on Data Privacy Compliance now! More information and registration: https://www.pvpi.co/dataprivacycompliance