The National Privacy Commission (NPC) encourages government and private organizations that are becoming dependent on technology to comply with the provisions of the Data Privacy Act (DPA) of 2012, reminding them that there are laws and parameters that govern the protection of information privacy of individuals.
As the country’s privacy watchdog, NPC has been promoting compliance for government as well as private firms in the Philippines to register their data processing systems with the Commission before the March 8 deadline as part of the requirements of the DPA of 2012, under section 45 of the implementing rules and regulations.
The objective of compliance is not only to uphold the rights to information and privacy rights of individuals, but also to ensure that there is a free flow of information and that innovation and economic growth will be sustainable for the country to benefit from it.
“Data privacy compliance is a must for all organizations that collect and process personal data. Determining your responsibility in protecting such data – from acquisition, storage, and transfer – not only helps your clients have that sense of security but also strengthens your brand as a company that puts their customers above all else,” said Raymund Liboro, privacy commissioner and NPC chairman.
“We need data but with data comes responsibility,” remarks Annica Witschard, president and CEO at Home Credit Philippines. “We need to make sure we secure and handle the data in a more compliant way and I think we’re fully aligned to that.”
The commission guides companies to help them assess the risks when it comes to personal data and apply the necessary measures, remediate existing measures to be able to conform with the requirements of the law.
“We’re not here to say don’t do this, don’t do that. We’ll live up to you as decision maker but it’s our expectation that your decisions will always be based on what is being prescribed by the law,” said Liboro.
The NPC can help build the culture of privacy in the country by pushing privacy resiliency in organizations. However, Liboro noted that in order for the DPA to succeed, the commission needs the cooperation of all critical sectors including the government which processes the most number of personal data in the country and private sector such as banks, BPOs, schools and hospitals.
“If we can build privacy resilience in companies, then we can have a resilient sector and if all sectors would be resilient, then we can claim our country is actually a resilient country in a very excellent destination for personal data from all over the world,” Liboro remarked.
However, if NPC conducts compliance check and finds out that companies do not comply or do not possess the things they need to inspect such as the appropriateness of measures they do; the privacy management program that is based on risk; and training of staff, then they are subject to penalties and punishments prescribed by the law.
The DPA has provision on punishable acts that can be committed by a person or entity and their corresponding penalties or punishments. For example, in case of unauthorized processing where a company does not get the proper consent from a person that it should get the consent, the penalty is a jail term of one year to three years, and three to six years if it involves sensitive personal information or fines of Php500,000 to Php2-million.
Liboro advises companies to really invest in consent or be serious in compliance with the law. More than these punishments and penalties, the biggest casualty when a company does not comply is its reputation, Liboro claims.
“In this digital economy, trust really matters. You would not give your personal data to a company when you know that it is violating the law or is not complying,” Liboro said.
For Witschard, responsible use of data, one that is fully compliant with the DPA, is a must to protect consumers and retain their trust.