Among the requirements of Republic Act No. 10173, or The Data Privacy Act of 2012, is the appointment of a Data Protection Officer (DPO). This position, sometimes also called a Data Privacy Officer, is a requirement of all entities engaged in the processing of personal data.
A survey of friends and colleagues in the industry has shown that for most of the larger companies and entities, the Chief Information Security Officer (CISO) is often appointed as the DPO. After all, as many people in management may logically surmise, the CISO is responsible for ensuring the security of the information and information technology of the company, thus, the functions of a DPO would complement such a position. It saves time and money, in that the two key functions are merged into one person.
However, if one were to look at the reality of the situation, the functions and duties of a CISO do not work hand-in-hand with that of the DPO, but actually clash and contradict each other.
CISO functions are often broad, depending on the size of the entity. A common function of a CISO is providing a secure IT infrastructure geared to protecting the integrity and confidentiality of information while maintaining its availability, and protecting information from internal and external threats.
On the opposite side of the coin, a DPO is mainly mandated to ensure compliance with the Data Privacy Act, conduct a Privacy Impact Assessment, and act as the liaison between the company, the data subjects, and the National Privacy Commission (NPC), the latter being the governmental regulatory agency on the Data Privacy Act. Other key duties include having to ensure proper data breach and security incident management, a function where the DPO is legally mandated to submit to the NPC reports regarding the breach or incident.
See the inconsistency yet? That point of impact where the job functions actually contradict each other if only one person is both CISO and DPO?
First, the positions have completely divergent interests. The CISO is concerned with identifying, detecting and stopping threats, and is concerned with the security of the company or entity, far beyond the extent of the loss of any personal information or data. The DPO’s main concern is the data subject and the data itself, as well as any loss of data that may result from a breach.
Second, the DPO is tasked with the conduct of a Privacy Impact Assessment, which is effectively an audit of the organization’s methods and manner of acquiring, using, processing, storing, and destroying personal data. It necessarily involves an audit of the security systems and measures in place, the very same systems and measures that the CISO either created, established, or for which he or she is otherwise responsible. One can now see the inherent conflict of interest where the CISO-DPO is made to audit the technical and procedural controls under his or her own management.
Third, the DPO is mandated by law to report to the NPC and the data subject any data that may have been compromised through a breach. These breaches would most likely have resulted from a gap in the technical or procedural controls implemented or maintained by the CISO. The CISO-DPO combination results in that person being in the “rock and a hard place” position, as the breach is likely due to something under his or her purview as CISO and yet as DPO he or she would have to report the incident.
Fourth, most CISOs have a technical expertise, while the job functions of a DPO require an understanding of the intricacies of the Data Privacy Act and the Implementing Rules and Regulations. DPOs are in charge of creating a Privacy Manual, drafting and reviewing Data Sharing Agreements and Contracts, among a slew of legal and regulatory documents. I am not, by any means, saying that a CISO would have difficulties with the legalities of a DPO’s functions, but given as how CISOs are already heavily burdened with the overall information security of the company or entity, to add these functions would likely result in a burned out individual.
Therefore, given these many reasons, I strongly advise companies and governmental entities to think twice before appointing their CISO as the DPO in any concurrent capacity.
The author is the founder, CEO and counselor for Compliance, Trade & Investment, and Government Relations & Public Policy at Caucus, Inc., a multi-industry, multi-disciplinary consultancy firm. He graduated MBA from De La Salle University, Juris Doctor from Far Eastern University, and LLM in International Commercial Law from the University of Nottingham, United Kingdom. He was a Chevening-HSBC UK Government Scholar, a Confucius Institute Scholar, and an alumnus of the US State Department’s International Visitor Leadership Program. He teaches at the College of Law of the Pamantasan ng Lungsod ng Maynila and at the College of Arts and Sciences of Miriam College. The author may be emailed at email@example.com