Data Privacy Act compliance 'not just a checklist' – NPC exec

MANILA, Philippines – The compliance of government and businesses with the Data Privacy Act should not be seen as just a checklist to be accomplished, said an official of the National Privacy Commission (NPC).

Instead, compliance "should be about accountability, about realizing the true value of personal data and why it should be protected," NPC Deputy Commissioner Ivy Patdu said in a seminar on data privacy on Wednesday, October 11. 

"It's easy to pass procedures. It's easy to promulgate policies. What's difficult to change is culture, how you can ensure that each and everyone in the company truly understands why you're doing something," added Patdu. 

Patdu also said that compliance with the Data Privacy Act shouldn't be seen as a burden. Otherwise, people "will forget what the law is for."

"At its core, that law is about protecting individuals, protecting their personal information," Patdu told Rappler. "Because losing it, having your personal data in the wrong hands could cause real harm to the data subjects."

Patdu said that around 5,000 companies and government agencies have already shown commitment by registering their data protection officers (DPO) with the NPC.

The privacy body had set a September 9 deadline for the registration of DPOs, but Patdu said they will still accept late registration. (RELATED: NPC outlines 90-day plan for data protection officers)

In addition, she noted Filipinos' increased awareness in data privacy, pointing to a recent survey showing that most Filipinos value their right to personal data.

'COUNTDOWN.' Ahead of a March 2018 deadline set by the NPC, the Disini u0026 Disini Law Office tackle relevant topics on the Data Privacy Act during the seminar. Photo by Michael Bueza/Rappler

'COUNTDOWN.' Ahead of a March 2018 deadline set by the NPC, the Disini u0026 Disini Law Office tackle relevant topics on the Data Privacy Act during the seminar.

Photo by Michael Bueza/Rappler

'Countdown' to compliance

Patdu spoke during the "Countdown to Data Privacy" seminar of the Disini & Disini Law Office on Wednesday.

The "countdown" refers to NPC's March 8, 2018, deadline for organizations to register their data processing systems, said lawyer JJ Disini.

"They need to register what personal information your organization collects and processes, and what do you do with that information, and whether or not you've secured the consent of those individuals," said Disini.

"There's a lot of interest now, and I think people want to learn more about the Data Privacy Act," Disini added.

The seminar also tackled other topics such as the definition of sensitive personal information (SPI), the importance of getting consent from data subjects, cross-border issues in personal data processing, data privacy in social media, and valid exemptions like in research and journalism under the Data Privacy Act. (RELATED: NPC reminds media: Balance freedom of press, right to privacy)

Prepare for data breaches

Also during the seminar, NPC complaints and investigation division chief Francis Acero gave a briefing on preparing for and managing data breaches.

Organizations should be proactive in reducing breach incidents by conducting a privacy impact assessment, said Acero. They should also come up with a security incident management policy, which involves the creation of a "data breach response team," and a security incident response policy.

"To borrow an adage, you will be measured by how you stand up after you fall. If a breach happens, are you ready?" asked Patdu in a mix of Filipino and English.

If, after an investigation, data handlers have shown they have done the necessary steps and complied with the law in the aftermath of a data breach, Patdu said that they may not be held liable.

Both Patdu and Acero pointed out that one can be held criminally liable for concealing data breaches.

In general, when there is a breach or there is reason to believe that sensitive personal information may have been acquired by an unauthorized person, and the breach poses a real risk of serious harm like identity fraud, affected data subjects and the NPC must be notified of the said incident within 72 hours, based on available information.

Under Section 30 of the Data Privacy Act, those who, intentionally or by omission, conceal security breaches involving sensitive personal information face one year and 6 months up to 5 years in prison and a fine ranging from P500,000 to P1 million. – Rappler.com

Full disclosure: The Disini & Disini Law Office is a legal consultant of Rappler. It also represented Rappler in the latter's Supreme Court case versus the Commission on Elections (Comelec) during the 2016 elections.

Michael Bueza

Michael Bueza is a researcher and data curator under Rappler's Research Team. He works on data about elections, governance, and the budget. He also follows the Philippine pro wrestling scene and the WWE. Michael is also part of the Laffler Talk podcast trio.

image