This article was originally posted at 2019-09-30 09:28:32

What exactly is a Data Protection Officer (DPO)? What competencies does a DPO need in order to be good at his or her job? What continuing education opportunities should a DPO pursue in order to stay up to date in his or her field? And what should a hiring officer look for when hiring a DPO?

For many companies and organizations in the Philippines, the honest reality is that there are few concrete answers to these questions at the moment. After all, the Data Privacy Act – Republic Act 10173 – was signed into law only in 2012, and its Implementing Rules and Regulations (IRR) came into effect only three years ago, in September 2013.

Since then, companies have had to comply with RA 10173 by appointing Data Protection Officers and generally fulfilling the terms set forth in the law’s IRR. But the social infrastructure to support the work of DPOs – college curricula, human resource practices, continuing education, and so on – hasn’t yet had a chance to evolve properly.

To help find ways to address this issue, the National Association of Data Protection Officers of the Philippines (NADPOP) has partnered with the Center for Research and Communication (CRC) in a bid to design, develop, and implement a Data Privacy and Security Competency Framework (DPSCF) for data privacy professionals in the Philippines.

A Partnership for Filipino DPOs. NADPOP, the Philippines’ first and only organized community of data privacy professionals, was formed in early 2018, seeking to empower Filipino DPOs by creating “a vibrant ecosystem and community of practice,” eventually transforming the country into a center of excellence for data privacy.

To be able to do this, NADPOP knew that it was important to have a framework outlining the skills and competencies needed by a DPO. Such a framework would serve as a basis for evaluating Filipino DPOs’ needs, and eventually identifying and implementing interventions that would help empower them.

To help do the detailed research work to create that framework, NADPOP turned to CRC , with its ability to tap the considerable human and knowledge resources of the University of Asia and the Pacific (UA&P), its significant experience in conducting value-added research, and its history of providing technical assistance – especially in terms of organizing conferences and workshops, conducting economic and policy studies, and gathering together key stakeholders to attract investment opportunities.

Signing a memorandum of agreement last September 5, 2019, the two organizations agreed to “pursue research and development initiatives that will elevate the level of awareness and competencies of data privacy professionals in the Philippines,” and to “strengthen the data privacy ecosystem of the country by offering services that will assist institutions in their data privacy people development initiatives.”

An Entirely New Profession. The partnership between NADPOP and CRC, and its moves towards the development of a DPSCF couldn’t come too soon for the country’s brand-new crop of DPOs – a professional niche which didn’t really exist before the IRR of RA 10173 came into force in September 2016.

One of the provisions of RA 10173 called for companies and organizations that process personal information to assign an individual or individuals who would be responsible for protecting personal data and assuring compliance with the law and its IRR.

The following year, the National Privacy Commission – another new entity created by RA 10173 – issued an advisory that stated that DPOs should have an expertise in all the relevant privacy or data protection policies and practices, and a thorough understanding of her or her employer’s operations inasmuch as data is concerned. The same advisory made sure that DPOs cannot easily be removed from their posts, by specifying that their employment should be as regular or permeant appointees, and that their employment contracts should be good for at least two years.

But this still left a lot of questions unanswered.

Unanswered questions. For example, exactly what kind of educational preparation should a DPO have? At a technical level, a DPO certainly needs to understand data analytics and information technology. But to do his or her job effectively, he or she would also have to understand the world of business and executive decision making. On top of all this, he or she would have to develop a deep understanding not only of the law, but of the ethics that underlie data privacy concerns. What educational background should hiring officers try to focus on when recruiting potential DPOs? Are there even any degree programs out there which offer such a broad, in-depth, trans-disciplinary focus on privacy issues specifically?

And how about continuing education? Data privacy issues continually evolving apace with the rapid changes in information storage, transmission, and interpretation technologies, and DPOs will not be able to afford being left behind. What continuing education programs need to be put in place to make sure DPOs stay abreast of the field? How often should DPOs attend these programs, and who should be in charge of making sure these programs are up to date?

With the next year slated for a series of consultations, multisectoral fora, and perhaps even explorations of how data privacy issues can be better integrated into certain college curricula, CRC and NADPOP are excited to find some answers.

The data privacy concerns which led to the creation of the DPO profession arose from rapid improvements in the way we handle information and knowledge. But in working to ensure the best possible paths towards the professional development of DPOs, CRC and NADPOP will be looking towards the most time-honored approach to the creation of new knowledge; when it comes to figuring out the best way forward for a complicated field, nothing beats good old-fashioned research. • Remi E. De Leon/CRC

The Center for Research and Communication is a research and consultancy group that partners with the University of Asia and the Pacific (UA&P), drawing upon UA&P’s considerable human and knowledge resources to meet the research needs of businesses and development agencies throughout the Philippines. To find out more about CRC’s work and its various researchers and consultants, you can contact Communications Officer for Research, Mr. Remi de Leon, by email at [email protected].