Philippines – Data Privacy Law Compliance Pillars.

31 May 2021
 

The last week of May every year has been declared as “National Data Privacy Awareness Week” under Proclamation 527 issued by President Rodrigo Duterte on 3 July 2018. The annual event is dedicated to raising awareness about the importance of protecting personal information and promoting a culture of data privacy in both government and private sectors. The National Privacy Commission (NPC) is tasked to lead the celebration and all other government agencies and departments, local government units and the private sector are encouraged to participate and assist in the activities of the celebration.
 

In line with this, today’s article focuses on achieving compliance with the Data Privacy Act of 2012 (DPA), the country’s main piece of legislation on protection and processing of personal information. Personal information pertains to data that can either directly, or indirectly, when combined with other data, identify an individual. On the other hand, processing refers to any action performed on personal information, including collection, storage, use, and destruction.
 

The DPA essentially sets the guidelines on how persons, whether natural or juridical, should process personal information. The law specifies, among others, the responsibilities of persons engaged in personal data processing, the rights of individuals whose personal information is processed (data subjects) and different penalties in case of violations of the law.
 

Understanding and complying with the DPA can sometimes be challenging and overwhelming. Accordingly, to guide individuals and entities or organizations (organizations) engaged in personal information processing, the NPC developed a five-step guide called “Five Pillars of Compliance.”
 

The guide serves as a checklist and summarizes the key data privacy obligations under the DPA and relevant issuances of the NPC.
 

1. Appointment of a Data Protection Officer (DPO)
 

The appointment of a DPO is not only required by law but is also considered as proof of the organization’s efforts to comply with the DPA. The main function of the DPO is to oversee the organization’s compliance with the DPA, its Implementing Rules and Regulations (IRR), issuances by the NPC and other applicable laws.
 

2. Conduct of a Privacy Impact Assessment (PIA)
 

A PIA is a process undertaken and used to evaluate and manage privacy risks posed by a particular activity or program that involves the processing of personal data. It should include, among others, the following: a.) a description and inventory of the personal data being collected; b.) processing activities of the organization; c.) evaluation of the organization’s implementation of security measures; d.) identification and assessment of the attendant risks; and e.) proposal of measures that address the said risks. (NPC Advisory 03-2017)
 

3. Creation of a Privacy Management Program (PMP)
 

The PMP is a holistic approach to guarantee that privacy and data protection are integrated and entrenched in all programs, activities, and initiatives of the organization. The PMP, consisting of policies, practices and procedures in processing and handling of personal data, is to be contained and codified in a Privacy Manual which serves as a guidebook for the organization’s personnel.
 

4. Implementation of Privacy and Data Protection Measures
 

The organization should have organizational, physical and technical data protection measures in place. It should also provide capacity building for its personnel. Further, contracts entered into by the organization involving personal data processing should also be properly reviewed by the organization’s legal counsel to check if the contents thereof are compliant with the appropriate provisions of the DPA.
 

5. Personal Data Breach Management
 

In case of a personal data breach, the organization should be ready to respond promptly. The organization should establish a policy stating its protocols for breach management. Effective breach management should cover breach prevention, incident response, investigation, mitigation of breach impact, compliance with notification requirements and prevention of recurrence. It is important that roles for managing breaches be clearly set out and that lessons learned are incorporated into the organization’s practices.