Key Concerns for a Data Protection Officer
In less than three months, I will have been a data protection officer (DPO) for two full years. It is a role I did not foresee I’d assume back when I was still with the National Privacy Commission — certainly not while I led the drafting of the agency’s actual issuance on DPOs. Nonetheless, it is one I have come to embrace and appreciate despite all the challenges it has prompted me to face head-on.
As I take a moment to reflect on my experience so far, I wish to highlight five key areas of concern that any current or prospective DPO should focus on in order to have a fair chance of succeeding in this new profession. Top management should take note, too. They could save precious company resources and avoid possible liabilities resulting from a poor appreciation of a DPO’s job.
Scope of Work. In any given institution, a DPO essentially performs functions akin to those of a data protection authority — drafting and issuing policies, reviewing documents with data privacy implications, conducting capacity-building sessions, and investigating privacy-related offenses and security incidents, to name a few. This is a huge responsibility for any one person, more so when overseeing the operations of a large organization. It should not be taken lightly. Overlaps with the mandate of other service units are also common, making it important for a DPO to insist on a clear delineation of his or her role at the soonest possible time.
Manpower and Resources. It would not be unreasonable to assume that most companies still rely on a “paper” compliance program when it comes to data protection. They designate an existing officer as their DPO and expect that person to assume the role while performing other tasks and responsibilities (e.g., as information security officer, or legal counsel, or risk manager, etc.). They neither offer additional manpower to render assistance nor provide resources necessary to see such role fulfilled. Others depend on external parties to deliver “preset” compliance programs and do not bother to build on these run-of-the-mill systems. Situations like this typically result in an environment where no true data protection exists. It is unfortunate for the people whose personal data are at stake and could spell disaster for the companies themselves who may have been lulled into a false sense of security. Commitment by management to a comprehensive and fully functional data protection framework is paramount.
Policies and Procedures. One of the more unpleasant surprises I have encountered in my consultancy work is the fact that many companies do not have proper policies in place to govern their day-to-day operations. Most rely on practices passed on from one generation of employees to the next, enabled by officers who are all too happy to have the freedom to change things up on a whim. Sometimes, there are policies but only a handful are aware of them. Big and established companies are no exception. DPOs who are confronted with these situations have their work cut out for them. Ideally, they are expected to go over existing policies and procedures (via a Privacy Impact Assessment), determine problem areas, and then propose solutions in coordination with other units and offices. Where these materials do not exist, it is not uncommon for DPOs to spearhead policy-making efforts that go beyond their actual mandate. In cases where the polices are there but are lost in obscurity, capacity-building activities become a prerequisite before a DPO can move forward with his or her main work.
Legal Counsels and other Data Protection Officers. DPOs are bound to encounter other DPOs in the performance of their functions. This is often the case when a data processing contract between two or more companies is under scrutiny. On occasion, it would be the legal counsel of the other entity that carries out the review, including those provisions on data protection. This can either be a rewarding experience or a frustrating one. If all parties are sufficiently informed of the basic tenets of data privacy and are reasonable enough to accommodate permissible adjustment in the contract’s terms, the process can be quick and fulfilling. If one party turns out to be arrogant and unyielding in his or her position, awful exchanges can become inevitable. Of course, a worse situation would be that where a party maintains a patently erroneous understanding of the law while, at the same time, refusing to acknowledge a different (albeit correct) opinion. Only one other scenario can top this: if the disagreement arises between two or more people that belong to the same organization. This can happen if, say, the DPO disagrees with the company’s own legal counsel. In times like this, it is important to maintain a cool head. Be conscious where one draws the line beyond which no compromise is possible anymore. Sometimes the best way to resolve a standoff is to walk away.
Disinformation and the Experts Outbreak. A prevailing insider joke in data privacy circles is that all it takes to become a privacy expert these days is hubris. That is, be bold enough to claim the title and it is yours. This problem is easy enough to ignore if not for its potential to cause actual harm or damage to companies — and even people. I have heard of a company that ended up hiring two data privacy “consultants” because the first one gave erroneous advice, thereby requiring a second one to review all his submitted outputs. Another company following “expert” advice was reprimanded by the NPC and learned that said advice was very much off the mark. And then there are those who complain about the numerous fee-based workshops and seminars they have attended, all of which fail to give them even a basic understanding of data privacy and what it means for their organizations. I have attended a few of these events and I can sympathize. A number of these “experts” are no experts at all. Many harbor erroneous interpretations of the law and have no reservations sharing them with the world. It is tragic that they actually get paid for it. For these reasons, companies should be more discerning when it comes to where and how they allocate their limited resources. They should assess the credentials of every person who fancies himself an authority. There are legitimate subject matter experts out there. And then there are those just out to make a quick buck.
Data privacy at the moment is still, by most standards, a novel area of expertise. Few are able to claim they have a full grasp of what it is as a concept, although the number of those genuinely interested in it continues to grow by the day. Most data protection officers make up a huge chunk of this group. With the right motivation and adequate stakeholder support, they are expected to lead the charge in pushing for a rights-based approach to a data-driven future. In the meantime, I suggest they keep these things in mind.
This article first appeared on GMA News Online on May 3, 2019 10:12 pm.