by Sarah Vasquez, ITX Senior Process Consultant
What is Data Privacy Act of 2012?
Republic Act No. 10173 or Data Privacy Act of 2012 is an act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes.
The Data Privacy Act of 2012 intends to protect personal information. With most of the information nowadays are processed online, there is no doubt that the Data Privacy Act compliance is now a necessity in the business sector. It was approved into law last August 15, 2012.
The National Privacy Commission (NPC) was created to monitor the implementation of this law.
Personal Information Controllers (PIC)
PIC is a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.This term excludes: (1) A person or organization who performs such functions as instructed by another person or organization; and (2) An individual who collects, holds, processes or use personal information in connection with the individual’s personal, family or household affairs.
Personal Information Processors (PIP)
PIP is any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Data Protection Officer (DPO)
Appointing a Data Protection Officer (DPO) is a legal requirement for personal information controllers (PICs) and personal information processors (PIPs), under the Data Privacy Act of 20123.
The DPO is tasked to manage the requirements of the NPC in ensuring compliance with applicable laws and regulations on data privacy and protection
Why is DPA Compliance Needed?
Data, an important corporate asset, needs to be protected. Noncompliance to the Data Privacy Act can have serious consequences to you and to your business.
According to the Implementing Rules and Regulations of Republic Act No. 10173, Rule XIII. Penalties, the penalty of imprisonment and the fine can range from, six (6) months) to seven (7) years and PHP 500,000 to PHP 2,000,000, respectively, depending on the severity of offenses.
How to Comply with DPA?
Here are the 5 Pillars of Data Privacy Compliance to guide you in your data protection compliance:
- Appoint a Data Protection Officer
PIC and PIP need to appoint a Data Protection Officer who will be accountable in ensuring compliance to applicable laws and regulations pertaining to data privacy and protection.
- Conduct a Privacy Impact Assessment (PIA)
The purpose of PIA is to evaluate the effects of an organizations’ programs, policies and procedures to data privacy.
- Write your Privacy Management Program and Privacy Manual
This is to make sure that everyone in the organization is informed on the objectives of the company in their compliance to DPA.
- Implement Privacy and Data Protection Measures
Best practices on the compliance to data protection and privacy should continuously be assessed, reviewed, and revised as necessary, while training must be regularly conducted.
- Regularly Exercise your Breach Reporting Process
A 72-hour notification process to NPC in the event of a personal data breach is required.
An annual reporting of the organizations’ documented security incidents and personal data breaches is one of the requirements to comply with DPA.
Who are Required to Register?
Organizations that have at least 250 employees or have access to sensitive information of at least 1,000 persons.
How to Register:
- The DPO shall accomplish and submit the form, together with complete supporting documents as required, to NPC.
- An access code will be provided upon validation of the submitted documents.
- Using the access code to go to the online registration platform, enter all information required about the data processing systems.
- NPC will send a notification on the completion of the registration process.
When is the due date for registration and implementation?
The deadline of registration was extended from March 8, 2018 to July 02, 2018.
For organizations already registered to NPC, it is required to submit their first annual security incident reports until March 31, 2018. No further information on the adjustment on the deadline has been released yet.