by Sarah R. Vasquez, ITX Senior Consultant
Privacy Management Program (PMP)
A PMP is a holistic approach to privacy and data protection, important for all agencies, companies or other organization involved in processing of personal data.
Purpose of Establishing a Privacy Management Program
Organization should treat data privacy and protection as part of their corporate governance responsibilities and not just merely a legal compliance requirement. Hence, the formulation of a comprehensive Privacy Management Program is vital to the organization.
The PMP will reduce the risks of privacy breaches its impact to the organization. Effective implementation of the PMP will help you in identifying the root cause of the problems in relation to data privacy.
Key Components of a Privacy Management Program
Summarized Checklist based on the National Privacy Commission (NPC) Toolkit:
A Guide for Management & Data Protection Officers
- Organizational Commitment
- Management Buy In
- Accountable and Responsible Persons
- Reporting Mechanisms
- Program Controls
- Records of Processing Activities
- Risk Assessment
- Policies and Procedures
- Security Measures
- Capacity Building
- Registration and Notification
- Breach Management
- Personal Information Processor and Third Party Management (for PICs)
- Continuing Assessment and Development
- Oversight and Review Plan
- Assess and Revise Program Controls
What is a Privacy Manual?
The Privacy Manual is a document that help ensure organizations that process personal data comply with the requirements for data privacy. The manual should contain policies, procedures and measures for the safety and security of personal data. The PIC (Personal Information Controller) or PIP (Personal Information Processor) is in-change to produce and implement the appropriate measures in protecting personal data as written in the manual.
In the Privacy Manual, it should reflect that it is written and being implemented in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission.
You can consider including the following sections below in your Privacy Manual as its outline, among others, based on NPC’s website section – Creating a Privacy Manual.
- Definition of Terms
- Scope and Limitations
- Processing of Personal Data
- Storage, Retention and Destruction
- Security Measures
- Organization Security Measures
- Physical Security Measures
- Technical Security Measures
- Breach and Security Incidents
- Creation of a Data Breach Response Team
- Measures to prevent and minimize occurrence of breach and security incidents
- Procedure for recovery and restoration of personal data
- Notification protocol
- Documentation and reporting procedure of security incidents or a personal data breach
- Inquiries and Complaints
The Privacy Manual, when written properly, will aid you in successful implementation and compliance with Data Privacy Act.
About the Author:
Sarah Vasquez is an experienced ISMS and Data Privacy Practitioner with comprehensive knowledge and extensive expertise gained in both multinational semiconductor manufacturing and information and communications technology industries. She currently holds the lead role in ECC International’s IT Excellence domain.
Know more about her here: https://www.linkedin.com/in/sarahrvasquez