Job Objective / Purpose
To comply with the regulatory requirement of the National Privacy Commission that every company which processes personal data should designate at least one (1) Data Privacy Officer (DPO).
The DPO shall be accountable for ensuring the compliance by the PIC or PIP with the DPA, its IRR, issuances by the NPC, and other applicable laws and regulations relating to privacy and data protection.
Duties and Responsibilities
A DPO shall:
a. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. For this purpose, he or she may:
1.) collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof;
2.) analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
3.) inform, advise, and issue recommendations to the PIC or PIP;
4.) ascertain renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and
5.) advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
b. ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
c. advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
d. ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period
e. Inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC;
f. advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
g. serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
h. cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
i. perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects
Background and Qualifications
Bachelor's degree in Law, Information Technology, Computer Science, Business Administration, Human Resources, or a related field.
At least 3–5 years of relevant experience in data privacy, data protection, compliance, information security, risk management, legal, or governance functions.
Strong working knowledge of the National Privacy Commission regulations, including the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and related issuances.
Experience in developing, implementing, and monitoring data privacy and data protection programs, policies, and procedures.
Knowledge of privacy impact assessments (PIAs), data mapping, data breach management, and data subject rights management.
Familiarity with information security principles, cybersecurity practices, records management, and risk assessment methodologies.
Experience coordinating with internal stakeholders, regulators, auditors, and third-party service providers on privacy and compliance matters.
Strong analytical, problem-solving, project management, and documentation skills.
Excellent communication and stakeholder management skills, with the ability to conduct privacy awareness and training programs across all levels of the organization.