Obey or pay: Implications for personal information controllers and processors

Menen Miranda Consulting Senior Manager, PwC Philippines 22 Sep 2016

A couple of months ago, I wrote about the draft Implementing Rules and Regulations (IRR) of the Data Privacy Act (DPA) of 2012 and the rights of the data subject. As promised, here is the second part where I will share my thoughts on how the IRR will impact organizations as either personal information controllers (PICs) or personal information processors (PIPs).

The final IRR was published in the Official Gazette last Aug. 25. It took effect last Sept. 9, a date worth noting because it signifies the start of the one-year period for PICs or PIPs to meet certain requirements under the law and the IRR. So, what are these requirements?

According to Section 46 of the IRR, PICs are required to perform the following actions to ensure that they comply with their obligations under the law:

  • Register with the National Privacy Commission (the Commission) their personal data processing systems operating in the country that involves accessing or requiring sensitive information of at least 1,000 individuals, including the data processing system of contractors, and their personnel, entering into contracts with government agencies;
  • Notify the Commission of their automated processing operations where processing becomes the sole basis of making decisions that would significantly affect the data subject;
  • Report annually to the Commission a summary of their documented security incidents and personal data breaches; and
  • Comply with other requirements that may be imposed by the Commission in other issuances.

Looks simple? It depends on who you ask and on how mature an organization's privacy life cycle is.

An organization that lacks privacy-consciousness may view the DPA and its IRR like an enormous beast to deal with. There are many elements to assess and questions to answer - the most fundamental of which are "What do we do?" and "Where do we begin?"

In contrast, an organization that has taken steps towards privacy maturity, either as a response to their customers' privacy requirements (e.g. BPO industry) or to the enactment of the DPA in 2012, may be in a place where they can begin to measure their readiness to comply with the specifics of the law. ,Where are we now?' is the likely question this organization may ask itself.

Another type of organization would be one that is focused on and invested in securing their information in general. This entity will be able to leverage their information security policies, processes, and technologies to become compliant with the requirements of the DPA and its regulations.

And perhaps the organization well positioned to comply with the law is one with a functioning governance framework, if such an organization exercises governance over the information.

Irrespective of where an organization may be as regards to privacy, there are actions prescribed in the IRR that PICs better observe to satisfy what's required of them. Rule VI lays down the security measures for the protection of personal data by a PIC, summarized as follows:

  • Assign someone to function as data protection officer, compliance officer or any other officer accountable for ensuring compliance with applicable laws and regulations on data privacy and security;
  • Implement appropriate data protection policies that provide for organization, physical, and technical security measures;
  • Maintain records that sufficiently describe their data processing system and identify the duties and responsibilities of those individuals who will have access to personal data;
  • Select, train and supervise their employees, agents, or representatives who will have access to personal data;
  • Develop, implement and review policies and procedures for the collection and processing of personal data, for data subjects to exercise their rights under the DPA, access management, system monitoring, protocols for security incidents or technical problems, and data retention;
  • Ensure through appropriate contractual agreements that their personal information processors shall also implement the security measures required by the law and the IRR;
  • Comply, where appropriate, with physical security guidelines set forth in the IRR; and
  • Adopt and establish technical security measures such as, but not limited to, security policy for the processing of personal data; safeguards to protect their computer network, periodic evaluation of security measures' effectiveness; and personal data encryption.

The Commission intends to monitor PIC and PIP security measures against the guidelines provided in the IRR and subsequent issuances. The determination of the appropriate level of protection by a PIC or PIP will take into account various factors such as the nature of the personal data, the risks posed by the processing, size of the organization, complexity of operations, current data privacy best practices, and the cost of security implementation. Simply put, organizations should employ a risk-based approach to privacy. In my honest opinion, this is the way that PICs and PIPs should go since protecting personal data can come at a hefty price if controls are implemented without properly assessing risks.

There may be questions surrounding the Commission's readiness in performing its compliance and monitoring functions. "Has it built the capacity to enforce the law and its regulations?" "Does it have the right people to fulfill its mandate? Or is the Commission also just starting to form its own teams, processes and procedures that will support its various functions?" As for me, I would like to believe that the Commission is working doubly hard to prepare for the onslaught of privacy concerns that will come from data subjects, PICs, PIPs, and other stakeholders.

In these early days of privacy in the Philippines, organizations may view privacy as something they must comply with, at any cost. I have no qualms about that. Who wants to be slapped with fines and imprisonment? Rule XII of the IRR specifies the penalties for violations pertaining to personal information and sensitive personal information that include unauthorized processing, accessing due to negligence, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure. There are corresponding fines and periods of imprisonment for each of these violations, ranging from P100,000 to P5,000,000 and between six months and seven years. These consequences show how serious the Philippine Government is about the business of privacy.

Obedience will drive organizations to uphold privacy. However, organizations that understand their need for privacy that can be trusted (beyond compliance) may get more out of protecting privacy than just avoiding penalties. Customers are data subjects and as the data subjects become more aware of their right to privacy, there will be increased demand and pressure on organizations to uphold that right. Investors always want to protect their business interests, therefore they will choose to do business with organizations that can demonstrate their ability to manage all types of risks, including privacy risk. Privacy also impacts the top and bottom lines by way of the fines imposed by the Commission and from the reputational costs of lost revenue.

It is apparent that heads will roll if and when privacy is breached. Therefore it is imperative for organizations to start or continue their privacy journey to be compliant with the law, and more importantly, to emerge as champions of data privacy that people can trust.

The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PwC Consulting Services Philippines Co. Ltd. The firm will not accept any liability arising from the article.

Contact us

Menen Miranda

Consulting Senior Manager, PwC Philippines

Tel: +63 (2) 845 2728 ext 3154

Follow PwC Philippines