Send Us A Message

Data privacy and you.

Complying with the Data Privacy Law of the Philippines

One Luna Editorial Team

The UN recognizes privacy as a fundamental human right that should be afforded to everyone. In the Philippines, this advocacy for protecting personal information got a big boost through the implementation of the Data Privacy Law. While it has been in effect for a few months since the time of this writing, we continue to receive a lot of questions from our clients about the proper way to comply with new legislation. In this article, we list five action steps to get started.

At the most basic level, the Data Privacy Law aims to make customer privacy an essential consideration for every business decision. In the past, hackers had the ability to break into databases that contain customer information and the management of that company did not suffer legal consequences. With the Data Privacy Law in effect, businesses should take a proactive role by appointing someone to take charge of focusing on information security, assessing the potential impact of a data breach, creating a data privacy manual, and implementing concrete security measures.

Appoint a Data Privacy Officer

The Data Privacy Officer (DPO) is tasked with protecting the data that your company collects in its course of operations. Ideally, this responsibility should be given to someone with a background in data and privacy protection. But in the case of small businesses, the DPO can simply be a title assumed by the owner.

Conduct a Privacy Impact Assessment

In this activity, you will identify the data that you collect from your customers, how you protect that data, and how to improve the process of data collection and protection. To conduct Privacy Impact Assessment (PIA) in a way that complies with regulations, you must prepare a report that states the involvement of the stakeholders, the proposed steps to mitigate possible risks, and the process of communicating the results of the PIA to relevant stakeholders. There is no prescribed format for undertaking a PIA; it will be considered valid if the company does the PIA in a systematic manner that complies with the spirit of the regulation.

Before undertaking a PIA, the following must be taken into consideration according to ACCRALAW, a prominent law firm in the Philippines:

The PIC or PIP should signify its commitment to the conduct of the PIA by:
- deciding on the need for a PIA;
- designating a person responsible for the whole process;
- providing resources to accomplish the objectives of the PIA; and
- issuing a clear directive for the conduct of a PIA.
The PIC or PIP must identify:
- the program, project, process, measure, system, or technology product on which the PIA will be conducted;
- The process owners, participants, and the persons in charge of conducting and preparing the PIA and its corresponding report;
- the procedure on how internal and external stakeholders will be involved; and
- the procedure for integrating the recommendations of the PIA into the control framework of the organization.
The PIC or PIP should consider in the preparatory activities leading up to the conduct of the PIA that:
- records of the processing activities of the PIC or PIP and an inventory of the personal data involved in such activities are maintained;
- a preliminary assessment is undertaken in order to determine baseline information, including existing policies and security measures of the organization;
- stakeholders are consulted to identify their concerns, expectations, and perception of risk posed by the entity’s processing activities;
- the objectives, scope, and methodology of the PIA are established; and
- a detailed plan for the conduct of the PIA is prepared.

Creation of Data Privacy Manual

Your business must create a data privacy manual. This document will contain the policies related to how your company will protect customer data from collection to destruction, in compliance with the Data Privacy Act. It describes the concrete actions that you will take in the event of specific circumstances (such as a data breach) and how such steps realize your customer’s right to privacy. For the full guide on how to create a privacy manual, this formal documentation from the National Privacy Commission will help you get started.

Implementation of Security Measures

In this step, you will implement the action steps you outlined in your data privacy manual throughout the organization. The Data Privacy Officer will take the lead in the implementation and record the progress of the company in its goal of improving the treatment of customer data.

Readiness in Case of Data Breach

Your company should demonstrate its readiness to counter the ill effects of any data breach. In this step, you must practice how your company will respond to possible data breaches by doing routine checks on your processes and data collection touch points.

Complying with the new regulation entails a renewed commitment to the protection of your customer’s data. To do so, your company should only collect data that is within the scope of your business; that is, you shouldn’t collect data that is not related to your purpose. Once you have these safeguards in place, you may consult your lawyer on more ways to improve your compliance with the Data Privacy Act.

Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. No information contained in this post should be construed as legal advice from One Luna or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through his post without seeking the appropriate legal or other professional advice on the particular facts and circumstances. An attorney should be contacted for advice on specific legal issues.