1.

Best qualification of DPO

 should have expertise in relevant privacy or data protection policies and practices.
He or she should have sufficient understanding of the processing operations being
carried out by the PIC or PIP, including the latter’s information systems, data
security and/or data protection needs. Knowledge by the DPO of the sector or
field of the PIC or PIP, and the latter’s internal structure, policies, and processes
is also useful.
2. Obligation of Head of Agency
General Obligations. A government agency engaged in the processing of personal data shall
observe the following duties and responsibilities:

A. through its head of agency, designate a Data Protection Officer;

B. conduct a Privacy Impact Assessment for each program, process or measure within the
agency that involves personal data, Provided, that such assessment shall be updated as
necessary;
C. create privacy and data protection policies, taking into account the privacy impact
assessments, as well as Sections 25 to 29 of the IRR;
D. conduct a mandatory, agency-wide training on privacy and data protection policies once a
year: Provided, that a similar training shall be provided during all agency personnel
orientations.
E. register its data processing systems with the Commission in cases where processing
involves personal data of at least one thousand (1,000) individuals, taking into account
Sections 46 to 49 of the IRR;
F. cooperate with the Commission when the agency’s privacy and data protection policies
are subjected to review and assessment, in terms of their compliance with the
requirements of the Act, its IRR, and all issuances by the Commission.

3. Core responsibilities
You should:

 effectively communicate to your personnel, the designation of the DPO or COP and his
or her functions;
 allow the DPO or COP to be involved from the earliest stage possible in all issues
relating to privacy and data protection;
 provide sufficient time and resources (financial, infrastructure, equipment, training, and
staff) necessary for the DPO or COP to keep himself or herself updated with the
developments in data privacy and security and to carry out his or her tasks effectively and
efficiently;
 grant the DPO or COP appropriate access to the personal data it is processing, including
the processing systems;
 where applicable, invite the DPO or COP to participate in meetings of senior and middle
management to represent the interest of privacy and data protection;
 promptly consult the DPO or COP in the event of a personal data breach or security
incident; and
  ensure that the DPO or COP is made a part of all relevant working groups that deal with
personal data processing activities conducted inside the organization, or with other
organizations.

4. Benefits of having DPO

1. They will help to guide your business through a complex new approach to privacy
regulation, involving disciplines ranging from human resources, legal, corporate structure
and business planning, through to website content and structure, database design, IT
infrastructure and cybersecurity. In order to be able to protect your interests in the event of a
breach, they must also operate without any conflict of interest within your organisation,
making them in one sense a ‘regulator’ working on behalf of the interests of data subjects,
more so than the interests of your organisation.
2. Thus you may regard the second reason as being an “insurance” policy, which in turn will
be effective in two ways – starting with the almost certain requirement that any actual
insurance cover you take out is very likely to require that you demonstrate your compliance
with the GDPR. However, secondly, the most effective investment you can make is in
something that ensures that you do not have to make a claim in the first place.
3. Starting with basic awareness and an impact assessment of the data within your
organisation, the DPO will deliver the third benefit, being the structured presentation of
your privacy procedures to your customers, employees and stakeholders. This will likely
include areas such as your terms and conditions, your website forms and policies, your
contracts with third parties (called Data Processors) and staff. Hopefully, you’re starting to
see there’s a lot that needs addressing.
4. Key to much of the required compliance is the training of staff and the subsequent rolling
audit of further needs and identification of requirements. This calls for a sensitive approach
by somebody who is seen to be a team member, because ‘old dogs’ generally do not enjoy
being taught ‘new tricks’, yet much has to change. Having a specialist within your
organisation who is responsible for ensuring data protection discipline will be an essential
fourth benefit.

5. Provision

Republic Act 10173 – Data Privacy Act of 2012