With the rise of technology and the vast products and services that are available to the public, it is said that the personal data of individuals is now the new oil that keeps the economy running. It is the collection or processing of personal data that makes companies and organizations alive and without such, organizations may not fully market their businesses to their target clients nor perform their core functions or activities.
These processing activities however expose personal data of individuals to security risks such as identity theft incidents, phishing activities, hacking attacks and other privacy intrusive schemes. As such, data privacy rules are now being implemented in most parts of the globe including the Philippines to ensure that personal data is protected against loss, destruction, and unauthorized processing or alteration.
In the Philippines, the Data Privacy Act of 2012 (DPA) requires persons and organizations to implement appropriate security measures to secure the personal data being processed by them. The law protects the right to privacy of an individual while ensuring the free flow of information.
Applicability of the DPA
The DPA applies to both the government sector and private sector engaged in data processing. Individual professionals such as lawyers, doctors, accountants, brokers and the like who collect and process personal data of their clients, customers or patients are likewise subjected to DPA compliance.
The DPA protects the personal data of individual persons or natural persons. The data however of juridical persons are outside of its coverage.
The following are the organizations or industries that are mandated to comply with the DPA:
1. Government bodies, branches or entities including NGAs, bureaus or offices, constitutional commissions, LGUs and GOCCs;
2. Banks, non-bank financial institutions including pawnshops, non-stock savings and loan associations;
3. Telco networks, internet service providers and other entities or organizations providing similar services;
4. Business process outsourcing;
5. Universities, colleges and other institutions of higher learning, all other schools and training institutions;
6. Hospitals, including primary are facilities, multi-specialty clinics, custodial care facilities, and other organizations processing genetic data;
7. Providers of insurance undertakings including life and non-life companies, pre-need companies and insurance brokers;
8. Business involved mainly in direct marketing, networking and companies providing reward cards and loyalty programs;
9. Pharmaceutical companies engaged in research; and
10. Personal information processors processing personal data for a personal information controller, included in the preceding items, and data processing systems involving automated decision making.
If you do not fall under any of the above enumeration, you are still mandated to comply if you fall under any of the criteria below:
1. You have 250 or more employees;
2. You process sensitive personal information of 1,000 or more individuals;
3. Your processing may pose a risk to the rights and freedoms of the data subjects; or
4. Your processing is not occasional. This means that the processing or collection of personal data is a recurring or regular activity in your organization or in the exercise of your profession.
If you do not belong to any of those mentioned, you are not mandated to comply with the DPA, but you may comply voluntarily. Once you voluntarily comply, all compliance requirements will be the same with those that fall under the mandatory compliance.
Benefits of Compliance
In the Philippines, not all organizations or entities who fall under the mandatory compliance are registered with the National Privacy Commission (NPC) for several reasons. Some actually find DPA compliance not a top priority. Some find it an additional expense because there may be a need to hire a dedicated Data Protection Officer, or a consultant for that matter. Some find it burdensome because it would need manpower investment as to training, certification, or an additional load of work to be performed.
These reasons may be true, however, we need to look at the brighter side of things. Data privacy compliance can actually give you or your organization a competitive edge in the market. You can gain the trust and confidence of your customers or clients and even your business partners. Data privacy compliance will also improve your service and enhance your responsivenessin the growing public awareness to data protection.
Effects of Non-Compliance
There is now a trend that if your organization is not complying with the DPA or if you cannot show proof of compliance with the DPA, you will not be approved as a partner or as a service provider. Companies, entities, investors and clients want to work with someone who values privacy and commits to protect personal data.
Non-compliance with the DPA is actually far more expensive than complying with it. It may cause you or your organization reputational destruction and business loss. It may also give rise to legal liabilities such as payment of fines of up to four million pesos, imprisonment of responsible officer or employee, and payment of damages to persons whose privacy rights have been violated. If warranted, you may be given a temporary or permanent ban to process personal data.
In view of the above, it is necessary, beneficial, and practical to start with your data privacy compliance. Appoint someone in your organization to be your Data Protection Officer. It may be hard at first, but there are already a number of public trainings, seminars, forums, and even webinars available that will guide you with the process. Once you have an overview of the DPA and its implementing rules and regulations, it will be easy for you to plan your next activities and create your compliance road map. The next thing you’ll know, you already have your own Privacy Manual. With DPA compliance, you reap what you sow.