A couple of months ago, I wrote about the draft Implementing Rules and Regulations (IRR) of the Data Privacy Act (DPA) of 2012 and the rights of the data subject. As promised, here is the second part where I will share my thoughts on how the IRR will impact organizations as either personal information controllers (PICs) or personal information processors (PIPs).
The final IRR was published in the Official Gazette last Aug. 25. It took effect last Sept. 9, a date worth noting because it signifies the start of the one-year period for PICs or PIPs to meet certain requirements under the law and the IRR. So, what are these requirements?
According to Section 46 of the IRR, PICs are required to perform the following actions to ensure that they comply with their obligations under the law:
Looks simple? It depends on who you ask and on how mature an organization's privacy life cycle is.
An organization that lacks privacy-consciousness may view the DPA and its IRR like an enormous beast to deal with. There are many elements to assess and questions to answer - the most fundamental of which are "What do we do?" and "Where do we begin?"
In contrast, an organization that has taken steps towards privacy maturity, either as a response to their customers' privacy requirements (e.g. BPO industry) or to the enactment of the DPA in 2012, may be in a place where they can begin to measure their readiness to comply with the specifics of the law. ,Where are we now?' is the likely question this organization may ask itself.
Another type of organization would be one that is focused on and invested in securing their information in general. This entity will be able to leverage their information security policies, processes, and technologies to become compliant with the requirements of the DPA and its regulations.
And perhaps the organization well positioned to comply with the law is one with a functioning governance framework, if such an organization exercises governance over the information.
Irrespective of where an organization may be as regards to privacy, there are actions prescribed in the IRR that PICs better observe to satisfy what's required of them. Rule VI lays down the security measures for the protection of personal data by a PIC, summarized as follows:
The Commission intends to monitor PIC and PIP security measures against the guidelines provided in the IRR and subsequent issuances. The determination of the appropriate level of protection by a PIC or PIP will take into account various factors such as the nature of the personal data, the risks posed by the processing, size of the organization, complexity of operations, current data privacy best practices, and the cost of security implementation. Simply put, organizations should employ a risk-based approach to privacy. In my honest opinion, this is the way that PICs and PIPs should go since protecting personal data can come at a hefty price if controls are implemented without properly assessing risks.
There may be questions surrounding the Commission's readiness in performing its compliance and monitoring functions. "Has it built the capacity to enforce the law and its regulations?" "Does it have the right people to fulfill its mandate? Or is the Commission also just starting to form its own teams, processes and procedures that will support its various functions?" As for me, I would like to believe that the Commission is working doubly hard to prepare for the onslaught of privacy concerns that will come from data subjects, PICs, PIPs, and other stakeholders.
In these early days of privacy in the Philippines, organizations may view privacy as something they must comply with, at any cost. I have no qualms about that. Who wants to be slapped with fines and imprisonment? Rule XII of the IRR specifies the penalties for violations pertaining to personal information and sensitive personal information that include unauthorized processing, accessing due to negligence, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure. There are corresponding fines and periods of imprisonment for each of these violations, ranging from P100,000 to P5,000,000 and between six months and seven years. These consequences show how serious the Philippine Government is about the business of privacy.
Obedience will drive organizations to uphold privacy. However, organizations that understand their need for privacy that can be trusted (beyond compliance) may get more out of protecting privacy than just avoiding penalties. Customers are data subjects and as the data subjects become more aware of their right to privacy, there will be increased demand and pressure on organizations to uphold that right. Investors always want to protect their business interests, therefore they will choose to do business with organizations that can demonstrate their ability to manage all types of risks, including privacy risk. Privacy also impacts the top and bottom lines by way of the fines imposed by the Commission and from the reputational costs of lost revenue.
It is apparent that heads will roll if and when privacy is breached. Therefore it is imperative for organizations to start or continue their privacy journey to be compliant with the law, and more importantly, to emerge as champions of data privacy that people can trust.
The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of PwC Consulting Services Philippines Co. Ltd. The firm will not accept any liability arising from the article.
Consulting Senior Manager, PwC Philippines
Tel: +63 (2) 845 2728 ext 3154