Data privacy policies are becoming more comprehensive across the globe, and individuals are beginning to demand they have the rights to their private information. A Social Weather Stations (SWS) survey on data privacy and Internet usage, conducted in June 2017, showed 85% of Filipino respondents agree that the rights of data subjects are important.There’s good news for these respondents. In April 2016, the Data Privacy Act of 2012, which first took effect on September 8, 2012, mandated the creation of a National Privacy Commission (NPC) to implement, enforce and monitor privacy compliance.
In March 2016, the NPC was officially formed, and the draft rules and regulations of the Act (known as “IRRs”). Following a period of public consultation, the IRRs were finalized August 2016 and came into effect on September 9, 2016. Now, time’s running up for organizations to become compliant.
Impact of the IRRs
According to the IRRs, Filipino citizens have the right to be informed, right to access, right to object, right to erasure or blocking, right to data portability, right to damages, right to file a complaint, and the right to rectify or correct. The IRRs will have a significant impact on all organizations in the Philippines, especially the country’s IT and business process outsourcing (“IT/BPO”) industry. In fact, one of the main reasons the Act was established was to bring the country in line with international data protection standards to ensure the Philippines maintained its position as a leading IT/BPO outsourcing destination.
IRRs apply to both “personal information processors” (companies engaged by personal information controllers to process personal data on their behalf) and the “personal information controllers” themselves. Both IT/BPO vendors and their customers that use data processing facilities will need to comply with the Act. Personal information does not need to relate to Philippine residents to warrant protection.
What Does the Act Say?
The IRRs are rigorous, borrowing concepts the new European Data Protection Regulation (EU GDPR) and from South Korean legislation. Examples from the EU GDPR include the right of data portability and a mandatory 72-hour data breach notification requirement. Data sharing requires that data subjects be notified of the specific identity of data transferees when they consent to data sharing arrangements, much in the same way South Korean legislation demands.
The IRRs permits personal information controllers and processors that process sensitive information for more than 1,000 data subjects one year to register. Pursuant to the law, this means new and current organizations in the Philippines must register now. Any automated processing operations must also be notified if they significantly affect the data subject.
At an event in April 2017, the NPC outlined its “Data Privacy Accountability and Compliance Framework.”
The framework contains “5 Commandments:”
- Appoint a Data Protection Officer.
- Conduct a Privacy Impact Assessment.
- Establish organization’s Privacy Management Program and privacy manual.
- Implement privacy and data protection measures.
- Regularly exercise your breach reporting process.
Which Companies Must Comply?
The new Act affect businesses inside and outside of the Philippines in the following ways:
Business process outsourcing facilities, multinational businesses with offshore call centers and other offshore arrangements in the Philippines will all need to comply with the Act, as they are all considered “personal information controllers.” The IRRs will impact businesses in banking and finance, tourism, retail and any other industry that involves processing private customer and employee information.
Personal information collected from foreign residents in accordance with local laws will not be regulated under the Act, except in relation to security measures, which will apply to both the service provider in the Philippines and the customer organization. IRRs can apply to data processing that takes place outside the Philippines where the data relates to its citizens or residents, or where the processing entity has a branch or subsidiary in the country.
The IRRs carry significant penalties for noncompliance. Examples include imprisonment of 1 to 3 years and a fine of up to Php 1 million (about $21,000) for unauthorized disclosure of personal information and imprisonment for 3 to 6 years and a fine of Php 4 million (about $85,000) for processing sensitive personal information without the consent of the data subject.
Overall, the IRRs represent a significant development in data privacy regulation in the Philippines. The Act will affect multi-national businesses that use or provide services in or from the Philippines, as well as local vendors with data processing facilities in the country. If your business is affected by the new Act, conduct a review of your current facilities and data processing activities in the Philippines, including data governance policies, security measures and contractual agreements with third-party vendors.
For global businesses, this type of review may form part of a company-wide project to address the global shift towards enhanced data privacy regulation and heavier penalties for noncompliance.
Find out how Blancco helps organizations address the specific erasure requirements outlined in the Philippines Data Privacy Act. Download the solution brief here.