Data privacy may be described as the right of an individual to be free from any unauthorized use or access of his or her personal information. This is achieved via a variety of documentary, physical, and/or technical means.
To ensure that data privacy is upheld in any given organization, there has to be at least one person responsible for carrying out such a task. In many countries, he or she is called a data protection officer (DPO).
A DPO oversees the data processing systems of an organization. He or she also promotes and enforces privacy and data security standards set by laws and other related regulations. If a breach occurs, the DPO must see to any applicable reportorial duties the organization may have to observe.
With such a wide range of tasks, a person planning to be a DPO must develop certain skills integral to the job. If you’re one such person, here are five (5) essential habits that will help you become an efficient and effective DPO:
Familiarize yourself with all applicable laws and regulations
Knowledge, as they say, is power. In the field of data privacy, this means you need to acquaint yourself with all applicable data privacy or data protection laws, including Republic Act No. 10173, also known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other issuances of the National Privacy Commission (NPC).
With the recent implementation of the European Union’s General Data Protection Regulation (GDPR), companies that do business with EU entities or those that handle personal data of EU citizens also need to consider the implications of this new law to their operations.
Make it a habit to check if there are new policies, too, including changes to existing ones. Do not get overwhelmed with so much information—something that is bound to happen if you only study your laws when absolutely necessary.
Maintain an accurate map of your organization’s security measures
Whether it’s data protection policies or technical measures like encryption and security systems, you need to map out all existing security measures of your organization that relate to personal data. Having charts that outline information process flows can be extremely useful, too, especially when trying to dealing with security incidents or data breaches. With such charts, you are able to respond better to unforeseen issues that may arise or threaten the integrity of your information systems.
A regular review and audit of these security measures will also ensure that your security infrastructure is equipped to handle newer and potentially more dangerous threats.
Document all data privacy issues raised and the actions taken to address them
If monitoring all concerns of an organization that relate to data privacy is a core responsibility of a DPO, documentation is indispensable to that endeavor. Creating logs of all privacy issues encountered helps in developing measures aimed at preventing such issues from recurring in the future. Knowing what interventions were applied—and their effectiveness—will also prove invaluable when coming up with more modern and better solutions.
For this endeavor, start by developing monitoring forms that takes into account all critical information that need to be recorded on a regular basis (i.e., daily, weekly, monthly, etc.). As a bare minimum, it may be used later on as demonstrable proof of the organization’s effort to comply with the DPA.
Be proactive in identifying the vulnerabilities of your organization’s data processing systems
Prevention is the more effective and more sustainable approach when dealing with data breaches and other security incidents, as opposed to addressing them when they’ve already happened. With this, you need to be proactive when seeking out the vulnerabilities and weaknesses of your organization’s data processing systems. Conducting regular Privacy Impact Assessments (PIA) usually accomplishes this.
Some would argue that PIAs are too costly, especially for smaller organizations who may not have as many resources as their larger peers. While this may be true (although there are cost-efficient ways of doing it, as well), PIAs actually cost a lot less, compared to the alternative—dealing with the damage left by a major data breach.
Check back for updates
The fifth habit worth developing is checking out other informative articles at the Foundation for Media Alternative’s blog. Bookmark it to keep abreast of all trends and hot topics regarding data privacy in the Philippines, and even around the world.