A Briefing on Data Privacy Compliance
Written by Patrick Dayao
Data is now considered the world’s most valuable resource; it is the new oil. As an important asset of any organization, it needs to be safeguarded since loss of data can lead to direct financial loss to any company, translating to lost sales, penalties, and others. Businesses around the world are innovating and transforming themselves to take advantage of this phenomenon, resulting in what some have termed as an “all-out assault on our personal privacy”. In order to protect their citizens in this data-driven era, governments have passed laws and regulations to ensure that data subjects are not taken advantage of. The Philippines joined the club when former President Benigno S. Aquino III signed Republic Act 10173 into law, known as the Data Privacy Act of 2012.
This law dictates the eight rights of a data subject and also lays down the jail terms and fines that may be levied on violators of these rights. Thus, it is imperative for anyone who collects and processes data to know the compliance obligations under the Data Privacy Act of 2012 or end up facing the consequences of non-compliance. This can include being issued a compliance order, being ordered to pay damages, or being charged for a data privacy violation, which may lead to jail terms and fines. As has often been said, ignorance of the law is not an excuse.
This was the reason why John Clements conducted a breakfast briefing on Data Privacy Compliance last January 24, 2018 at the Manila Golf and Country Club. Invited as guest speaker was Mr. Damian “Dondi” Mapa, co-author and signatory of the Implementing Rules and Regulations of the Data Privacy Act of 2012. The briefing was attended by a number of existing clients, prospects, and employees of John Clements.
This learning experience aimed to:
- enlighten participants of their rights under the Data Privacy Act (since all of us are data subjects)
- make participants aware of their obligations under the Data Privacy Act, as well as the business and legal consequences of non-compliance
- help participants understand what compliance looks like and how to get started on the journey towards compliance
Since Dondi is an expert on information and communications technology and public policy, the discussion with him was very engaging. He had served in three administrations of the Philippine government — as commissioner of the Commission on ICT (Gloria Macapagal-Arroyo) and as deputy commissioner of the National Privacy Commission (Benigno S. Aquino III and Rodrigo Roa Duterte). In the private sector, he had also worked in top IT companies such as Microsoft, Hewlett-Packard, and Dell, among others, as part of their respective Philippine management teams.
One of the briefing’s highlights was when Dondi clearly explained the eight rights of a data subject. Know your rights as a data subject and be able to protect yourself the next time you feel uncomfortable in giving away your personal data to someone else.
Likewise, everyone was made aware of their corporate obligations as either collectors and processors of personal data, leading to realizations that current behaviors may have to change. Dondi also presented the process through which alleged data privacy violations will be investigated.
In the past ten years, there had been significant change in the movement of data from the source to a different personality or entity. As such, there is a need to conform or comply with the rights of data subjects as to the correct usage of their information, commencing from obtaining their data to processing, storing, sharing, and disposing of sensitive personal information. There should be a conscious effort to treat personal information strictly confidential. To do so, it is necessary to disseminate the data privacy compliance practice to all people concerned. Compromised data is not only a violation of the Data Privacy Act of 2012, but also a threat to data subjects due to the harm of identity fraud.
Dondi shared what needs to be done in order to get started on the journey towards compliance like forming a breach team and registering with the NPC. Here are some references to help you get started:
- NPC Website
- Contents of Registration
- Compliance Checklist
- Sample Personal Data Inventory
- Documentation
- Notification to the NPC — Circular 16–03, Section 17
- Compliance Road Map
The Data Privacy Act of 2012 controls how our personal information is used by organizations, businesses, or the government. Everyone should be responsible in using data and ensure that strict rules are followed. Companies should aspire beyond compliance — they have to keep in mind that they should be accountable for their actions and make sure that information will always be used fairly and lawfully.
Please visit and join the John Clements Talent Community.
About the author:
Patrick is currently a managing consultant at Staffbuilders Asia, a division of John Clements Consultants, Inc. He has been with the company for more than 10 years now.
