Adhering to Data Privacy Act of 2012 – Is it too late now?
By Amy Lyn Tabiliran, Business Unit Head of Security, Fujitsu Philippines
In today’s age of data overload, organizations now are urged to take on valuable steps in taking good care of their client’s private data. This directive is integral, especially for businesses here in the Philippines, since the National Privacy Commission (NPC) recently ignited its campaign to penalize all the violators of the Republic Act 10173, otherwise known as the Data Privacy Act of 2012.
Since it took effect on September 9, 2016, the comprehensive and strict privacy legislation mandates the “protection of the fundamental human right of privacy and communication while ensuring the free-flow of information to promote innovation and growth.” While it applies to individuals and legal entities that process personal information in the country, it should also be implemented by global businesses with equipment based in the Philippines. The act further applies to the processing of personal information of any Filipino regardless of where they reside.
For those who are not yet compliant, the question now is: Is it too late for them to adhere to it? As of writing, preparations for the data privacy act is past crunch time. In fact, NPC’s campaign to inspect and check the compliance of companies across industries is now in full blast. Thus, a hasty action is necessary—or else, a non-complaint may face a sanction of up to three years in jail, (for officials), and fines amounting to P2-Million.
To ensure compliance and avoid compromising the personal data of their clients, NPC noted five pillars that organizations should consider. Reviewing these points are crucial, especially for those who are not yet compliant, as a guide to monitor to know their status of amenableness.
Commit to comply. Companies that deal with client’s personal information are required to designate a data protection officer, who will be accountable for compliance with the rules and regulations related to data protection and privacy.
Know your risks. A privacy impact assessment is mandated so that businesses can institute proper organizational and technical security measures. This evaluation should identify the company’s processes, as well as the risks and threats associated with them.
Be accountable. Organizations should create their privacy management program by writing a security manual that will align everyone in the same direction in facilitating compliance with the data privacy act. This manual will also come useful in mitigating the impacts in case of a data breach.
Demonstrate your compliance. Upon the creation of the data privacy program, it must be implemented. As it necessitates, it should be assessed, reviewed, and even revised continuously. Of course, training for security officers must also be conducted.
Be prepared for a breach. All personal information controllers and processors should implement a security incident management policy. This policy is for managing security incidents, including data breaches. This rule also says that upon the discovery of the breach, organizations must conduct an initial assessment, mitigate its impact, and notify the affected parties, as well as the NPC, within 72 hours of discovery.
As a way of speeding up compliance, it will be beneficial to integrate security solutions and services to your organization. While there are many systems integrators present in the country, it pays to hire someone that uses a methodology that works based on the five basic principles of information security. It includes confidentiality, availability, accessibility, authentication/authorization, and accountability/non-repudiation.
Another consideration would be the kind of solutions that they offer since it must be able to tailor fit with the organizations’ environment so that it can tackle their network, data, information, and user security requirements. There are other features that the integrator must also offer, like the 24/7 customer service, among others.
At Fujitsu Philippines, we dedicate to assist organizations to comply with the standards. With over four decades of experience, it is always our commitment to work with all stakeholders in protecting personal data and privacy, which in turn can contribute to shaping a better and safer tomorrow for the country.