Now let us discuss the details of your initiative to comply with the provisions and requirements of the law. Lets start with the five pillars of compliance because this will be one of the basis of assessing how far you have gone through with your organizations initiative to comply.
REVIEW:
Last time we have tackled the DPA as a must compliance for organizations operating in the Philippine jurisdiction. We have learned the following key points:
- Data Privacy Act of 2012 (R.A. 10173) came into law in the year 2012
- DPA is a law that regulates the processing of personal information in the Philippines. If your organization is processing a thousand (1,000) data subjects or you have an employee of 250 and above, it is obligatory to comply with the law.
- The DPA mandates protection measures on the data that was acquired by the organization. It includes organizational, physical, and technical measures to further protect the confidentiality, integrity, quality, and availability of the data
- The data subject (owner of the data) has eight (8) fundamental rights under the DPA.The right to be informed, right to object, right to access, right to data portability, right to rectification, right to erasure or blocking, right to file a complaint, and the right to damages.
- The government agency in charge of the full implementation of the law is called the National Privacy Commission (NPC), an independent agency but attached and operating under the Department of Information and Communications Technology (DICT).
- The National Privacy Commission has many roles and functions most especially the enforcement of the law. We have given an example when NPC issues a cease and desist order to Jollibee Foods Corporations online delivery system.
- This example could happen to any organization most especially if you do not comply with the law
- The law has controversial penalties because it penalizes any organization of fine not less than five hundred (Php. 500, 000) and a maximum of five million pesos (Php. 5, 000,000) and imprisonment of the head of the organization ranging from 6 months to 7 years.
Now, let us discuss the details of your initiative to comply with the provisions and requirements of the law. Lets start with the five pillars of compliance because this will be one of the basis of assessing how far you have gone through with your organizations initiative to comply.
The five pillars of compliance to the Data Privacy Act is mandatory for all organizations that are covered by the DPA. As I have mentioned in my past article (DPA, A Must Compliance to Organizations Operating in Philippine Jurisdiction) this will be one of the indicators to organizations compliance with the law.
National Privacy Commission has set theFive Pillars of Compliance. These are the following:
- Appointing a Data Protection Officer (DPO)
- Conducting a Privacy Impact Assessment (PIA)
- Creation of the Data Privacy Manual
- Implementation of Data Privacy and Security Measures
- Being ready in case of data breach
Let us now discuss how to navigate your compliance with the Five Pillars on Data Privacy:
For pillar no. 1,APPOINTING A DATA PROTECTION OFFICER (DPO), All organizations that are covered by the DPA implementation must have their own DPO. This is a legal obligation. The Data Protection Officer shall be registered to the National Privacy Commission. Necessary documents will be submitted to the NPC in the registration. These documents include SEC registration of the organization, appointment papers of the DPO, and other required documents. The DPO plays a major role in ensuring the organizations full compliance with the law. In the organizational structure, the DPO is placed on middle management. He must be able to coordinate and work with the respective department heads to navigate compliance. DPA compliance is a collaborative effort between the Data Privacy Office and every department in the organization. The task of the DPO includes:
- Assessment
- Conduction of DPA compliance assessment or compliance gap analysis Doing data inventory and data mapping
- Generating compliance report, data inventory and analysis report
- Protection
- Coming up with data privacy risk registry, risk treatment, action plans and DPIA Projects
- Deploys controls identified in Privacy Impact Assessment (PIA)
- Be able to implement organizational, physical, and technical measures in data protection. Data confidentiality, integrity, availability and quality must be maintained by the organization.
- Sustenance
- Conducts compliance monitoring, data privacy audits, and upgrades the competency in data protection of all key people in the organization
- Ensures all members of the organization protects the data they handle
- Responding
- Responds and grants the data subject request
- Ensure the exercise of the rights of the data subjects
- Establish breach management policy, team and procedures
- Prepares for any data breach
- Responds to data breach
- Data Governance and protecting the records of the organization
- Submits annual reports to National Privacy Commission
- Update registration as needed
- Registration of Data Processing System in compliance to NPC Circular 17-01.
In general, a PIA should be undertaken for every processing system of a PIC or PIP that involves personal data. A pia should be conducted for both new and existing systems, programs, projects, procedures, measures, or technology products that involve or impact processing personal data. A PIC may require a PIP or a service or product provider to conduct a PIA. A PIC or PIP may also choose to conduct a single PIA for multiple data processing systems that involve in the same personal data and pose a similar risk. The PIC or PIP may forego the conduct of PIA only if it determines that the processing involves minimal risk to the rights of the freedom of individuals, taking into account recommendations from the DPO.
The objectives of the PIA is intended to:
- Identify, assess, evaluate, and manage the risk represented by the processing of personal data
- Assist the PIC or PIP in preparing the records of its processing activities, and in the maintenance of privacy management programs
- Facilitate compliance by the PIC, or PIP with the DPA, its IRR and other applicable issues of the NPC, by determining:
- Its adherence to the principles of transparency, legitimate purpose, and proportionality;
- Its existing organizational, physical, and technical security measures relative to its data processing systems;
- The extent by which it upholds the rights of the data subjects and
- Aid in the PIC and PIP in addressing the privacy risk by allowing it to establish a control framework
The PIC and PIP are primarily accountable for the conduct of the PIA. The responsibility remains in even when it elects to outsource or subcontract the actual conduct of the activity. A recommendation for the conduct of PIA may also come from the DPO of the PIC or PIP. Part of the functions of the DPO is to ensure the conduct of PIA relative to activities, measures, projects, programs, or systems of the PIC or PIP. There is no prescribed standard or format for a PIA. As such, the PIC or PIP may determine the structure or form of PIA that it will use.
Pillar no. 3 isCREATION OF THE DATA PRIVACY MANUALor coming up with the PRIVACY MANAGEMENT PROGRAM (PMP). But why do we need to create a PMP? The answer is it puts everyone on the same page. A PMP provides an easier way to explain to the management of your organization and the staff why you are doing this, what are the results we expect, what are the benefits of those results and what do we need to get there. With this, you will smoothly get everyone on board the PMP.
A Privacy Management Program (PMP) is a holistic approach to privacy and data protection, important for all agencies companies or other organizations involved in the processing of personal data. It is a process intended to embed the privacy and data protection strategic framework and daily operations of PIC or PIP. A PMP is an acknowledgement by the PIC or PIP of their accountability for complying with the requirements of the act. It has key components
- Governance
- Management Buy-In
- Data Protection Officer
- Program Controls
- Records of Processing Activities
- Risk Assessment
- Registration
- Policies and Procedures
- Data Security
- Capacity Building
- Breach Management
- Notification
- Third-Party Management
- Communication
- Continuity & Establishing a Privacy Ecosystem Oversight and Review Plan
- Oversight and Review Plan
- Assessment and Revision of Program Controls
- Updates and Revision
- Background
- Definition of Terms
- Scope and Limitations
- Processing of Personal Data
- Data Collection
- Data Use
- Data Storage, Retention and Destruction
- Data Access
- Data Disclosure and Sharing
- Security Measures
- Organizational Measures
- Physical Measures
- Technical Measures
- Breach and Security Incident
Pillar no. 4 isIMPLEMENTATION OF DATA PRIVACY AND SECURITY MEASURES.Whatever is the provision of the Philippine Data Privacy Act of 2012 it must be all complied to avoid violation of the law that will result in legal matters and worst penalties. The penalty for the violation of the DPA is both imprisonment and fine. The imprisonment can go as high as 7 years and the fine is as high as five million pesos (Php. 5, 000,000). Security measures must be part of the organizational culture and embedded in each process and system most especially in the data transfer or sharing. The most common security incident is unauthorized access and unauthorized disclosure. This must be avoided all the time. One of the crimes that were cited the PIC and PIP through the DPO has the responsibility to report breaches most especially it comprises sensitive data of the customers of the organization. He has only 72 hours to report the breaches that happened. Failure to report the breaches is tantamount to concealing of a breach with the penalty of 18 months to 5 years imprisonment and fine of five hundred thousand (Php. 500, 000) to one million pesos (Php.1,000,000).
Pillar no. 5 isBEING READY IN CASE OF DATA BREACH. In this pillar the organization preparedness for any form of breaches is being challenged. The most common incident is data hacking for those who are using the digital world of the internet. Any organization is open to this type of risk that is why control measures and reporting systems must be fully established and functional. The organizations accountability to the law will always be on the measures implemented using the 3 main categories. Physical measures are controls that were established to control the physical risk like for example putting locks on cabinets containing data. Technical measures are controls that were established to control technical risk like for example putting passwords for files on the data that will be sent through email. And organizational measures are measures established to control the risk of the implementation of data processing. Example of this is policy and procedure for the access of data.
About the Contributor:
JOSUE T. OBELIDOR, RN, CDPO ACE 1is a Registered Nurse and a Philippine GovernmentRegistered Data Protection Officer. Currently, he is the Data Protection Officer (DPO) of FarEastern UniversityDr. Nicanor Reyes Medical Center (FEU-NRMF), an institution composed of school and tertiary hospital, offering degree program in Medicine and Allied Health Sciences (BS Nursing, BS MLS, BS Pharmacy, BS Physical Therapy, BS Respiratory Therapy, BS Radiologic Technology, BS Nutrition and Dietetics) and Senior High School. He has been with the institutionfor Three (3) years now. Previously he has Five (5) Years of experience in the field of Quality Management System and worked as the Quality Management Representative (QMR) of different Tertiary hospitals namely Mother Seton Hospital at Naga City, Daniel O. Mercado Medical Centerat Batangas City, and World Citi Medical Center at Quezon City. He also practiced his NursingProfession as an ICU nurse for 3 years at Mother Seton Hospital.