GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law?

[Kipp_Szeth]

Hi! I just want to ask on how many DPO should a company have, is there a minimum or maximum number?

Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? or at least the person to be the DPO has knowledge to data privacy? e.g. ISMS

 

[Raffy]

Some organization in the Philippines has one appointed DPO (Data Protection Officer) and several COP (Compliance Officer for Privacy).
A DPO is accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
If the DPO is not knowledgeable about the Data Privacy Law, how will he monitor the compliance of the organization with the Data Privacy Act, Its Implementing Rules and Regulations, issuances by the National Privacy Commission.
Hope this helps.
Best,
Raffy

 

[TomaszPuk]

From EU GDPR perspective you have to assign Data Protection Officer only in the following cases (GDPR Article 37):

"(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
" GDPR

So in case you operate under GDPR the answer to your question about number of DPO would be from 0 to at least one. In case, the organization does not have to assign it, I would still suggest to make your Information Security Officer aware of these responsibilities.

Re- your questions if such a person should be knowledgeable about applicable privacy regulations - I think s/he should. The scope of regulations very much depends on company's business model and where it offers its services (e.g. .Cloud) but you have to understand the data privacy implications for your business.
E.g. there are some requirements in GDPR which are quite specific (records of processing activities, contracts with processors etc.) that such a person should be aware of.

 

[Ian_Morris]

In short, if you have a DPO they do need to be knowledgeable about not only about the law, but about the systems in place within the company.

If you have determined that a DPO is necessary for your company (doesn't matter if this is voluntary or if you fall under the requirements) it is necessary for them to be able to demonstrate that they have the competence to execute the role (similar to the need for a Money Laundering
Reporting Officer to have necessary competence). This is because they will have legal responsibility for the effectiveness of your systems to ensure compliance with GDPR.

I appreciate that you are in the Philippines, but the UK regulator site has some exceptional advice around data protection that will be compliant with GDPR (www.ico.org.uk)