It wasn’t long ago that consumer data privacy was not an issue taken seriously. With the first real data privacy law in the Philippines released in March 2017, all eyes were on whether this was about to become a matter of import or a passing concern. The one-year deadline for registration came and went on March 8th, 2018. Many companies have still not complied.
What has changed? Enforcement. Data privacy became suddenly more enforceable. Visibility for the issue increased considerably after major lending companies in the Philippines received complaints. Alongside it, there is a growing corporate desire to work with businesses that are in compliance. More companies are avoiding partnerships, collaborations, and contracts with non-compliant entities.
Find out what this means for your business in the Philippines, how to gain your certification, and how to avoid penalties.
What do the data privacy laws in the Philippines define?
The Data Privacy Act (DPA) makes it clear that all individuals in the Philippines have the right to privacy in their data and how it is disclosed. It defines that Filipinos have the right to live free from surveillance and intrusion. The act protects all private, personal, and otherwise sensitive content. It covers both natural and juridical persons involved in handling personal information.
The implications for your company boil down to specific actionable concerns. Ensuring customers opt-in when their data is collected in a way that is both transparent and legal. Limiting third party access to customer data. Managing how customer information is accessed, and discarded.
Personal data privacy in the Philippines is being taken more seriously. This parallels a series of worldwide regulations and enforcement actions on privacy like GDPR.
Registering for data privacy in the Philippines
The original data privacy law released in 2017 with a registration deadline for compliance falling on March 8th, 2018. Split into two phases, the first phase of the deadline covered the appointment of a data protection officer (DPO). The second covered the registration of data processing systems.
You are required to first formally register your company, and then officially assign a data protection officer in your company. One month ago outsourcing your company DPO become a new way to comply. It is now possible to have a third party handle this role.
You can choose to have a DPO either in a consulting arrangement – helping to develop a compliance plan – or as a completely outsourced service. It’s important to choose a capable partner that can prepare a complete data privacy plan, that protects you from liability.
Who must take action?
The national policy covers any natural or juridical persons involved in the processing of personal information. It covers those who use equipment located in the Philippines. This applies even if the company is not founded or established in the Philippines.
Data privacy laws apply to all types of companies. This includes those who maintain an office, branch, or agency in the Philippines. The DPA law applies to a wide range of business types. This applies from chat platforms to tour operators, and fintech companies to construction.
As a rule of thumb, companies with a minimum of 250 employees are required to register with the NPC. Companies with access to the personal and identifiable information of 1,000 or more individuals must register.
What are the compliance requirements?
Submitting your online registration with the National Privacy Commission is the first step. This goes hand in hand with appointing a DPO for your data privacy. Registration is followed by a number of steps along the path to compliance.
There are five (5) key requirements. They start with the appointment of a designated data protection officer and creation of a privacy impact assessment. It is followed by creation of a privacy knowledge management program, and implementation of a privacy & data protection policy. The requirements conclude with testing of a breach reporting procedure.
This process takes your company through the steps necessary to safeguard your data handling. It ensures third party protection measures. Collected information should be maintained accurately and only used for the stated purposes.
Hiring an officer as a data controller or processor
Being a personal information controller (PIC) or personal information processor (PIP), you are legally required to work with a DPO. Appointing a DPO is mandatory for a natural or juridical person in the Philippines. It is required for those that are part of the government or private sector. It is also necessary for those that are handling the personal data of individuals.
A DPO’s function in an organization requires expertise. Finding a suitable DPO means finding someone completely familiar with privacy and data protection. A DPO must also have a complete understanding of the work of both the PIC and PIP.
The newly updated regulations for DPO outsourcing are still fresh, but provide a new option for hiring dedicated staff internally. It is critical to work with a DPO that is trusted, capable and accountable.
Penalties and punishments for non-compliance in the Philippines
You may be punished for unfair data handling with hefty fines or even imprisonment. Your company risks being the subject of data privacy complaints if avoiding compliance with the new rules. The same risk applies to projecting a false identity, or displaying an incorrect business address.
Unauthorized processing, negligent handling or improper disposal of personal information can be punished with up to six (6) years in prison. Depending on the severity of the violation, authorities may instead request a penalty. This may be up to five million pesos (PHP 5,000,000 / USD 96,812.46).
It may be that as long as no-one complains, you will not be checked. However, if you are the penalties for breach can be severe. The NPC is now actively trying to penalize those without proper data privacy protections in the Philippines.
Contact Emerhub to enhance the data protection practices in your company in the Philippines. Our team of legal experts will propose a plan for improving your data collection and handling methods according to the law.