5 Pillars of Data Privacy Compliance – Pillar 4: Implement Data Privacy and Security Measures

In this digital era, the law mandates government agencies, private institutions, and even individuals to protect and respect data privacy and personal information. The Philippines’ privacy laws were further strengthened when the Data Privacy Act, 2012 was enacted to protect personal data. This law was modelled after the EU Data Protection Directive and influenced by foreign countries’ privacy policies.

In a nutshell, the main goal of the law is to safeguard an individual’s right to privacy while allowing the free flow of information. It also emphasizes the role of technology in ensuring that data remains secure.

In order to establish guidelines and promote compliance with this law, the National Privacy Commission (NPC) developed the 5 Pillars of Data Privacy Compliance:

  1. appoint a data protection officer
  2. conduct a privacy impact assessment to identify capabilities, threats, and risks
  3. develop a privacy management programme
  4. implement data privacy governance to ensure proper execution of security measures
  5. prepare data breach protocols

However, in this article, we will focus more closely on the fourth pillar which is about implementing security measures.

Putting in Place Security Measures Within Your Organization

The implementation of data privacy and security measures involves organizational, physical, and technical measures.

Organizational Measures

This involves the implementation of internal policies, methods and standards, and controls that data controllers and processors must adhere to in order to ensure data security. Some of the most essential organizational measures that must be implemented include:

  • Appointment of a Data Protection Officer (DPO) and data security breach management team

Appointing a DPO is mandatory when the company performs regular monitoring of data subjects, and those that process sensitive data such as health and political beliefs on a large scale. The DPO must be appointed based on professional qualities and in-depth knowledge of data protection laws and best practices. A data security breach management team must also be established to contain the problem in the event of a breach.

  • Development of Data Protection Policies

The scope of policies should depend on the company’s size and the type of data processing it performs. The policies and procedures must be easy to follow, and employees must be well-aware of their obligations and what needs to be done in certain situations related to data security.

  • Privacy Notice and Privacy Policy

The Privacy Notice or Fair Processing Statement is an external-facing statement that describes how personal information will be collected, used, transmitted, retained, disclosed, or destroyed. Meanwhile, Privacy Policy is an internal-focused statement that governs how an organization handles personal information. It provides guidelines for employees to follow regarding the collection and use of data and also covers specific rights the data subjects have.

  • Perform risk assessments

Risk assessment is a crucial preventive measure and can guide you in creating risk mitigation solutions.

  • Preparation of Business Continuity Plan

Organizations must have a business continuity plan that covers the necessary measures for backing up data, ensuring that it remains secured and can be recovered amid an incident.

  • Develop a culture of awareness through training

In order to avoid security breaches and lapses due to negligence, it is important to conduct regular training for employees to raise awareness of these privacy programs. Only by ensuring that policies are clearly communicated and disseminated across the organization will these data privacy and security measures be implemented properly.

  • Review and audits

Controls and audits are intended to ensure the policies and procedures put in place are effective and identify areas for improvement.

Physical Measures

A crucial aspect of data security is preventing unauthorized access by implementing physical measures. The following administrative and physical controls can limit what data can be accessed and acquired:

  • Securing the facility

Management policies must be implemented to keep the premises secured against physical theft of equipment and adding of viruses, worms, and other malicious software through personal storage devices. This may include security guards stationed throughout the facility, escorting of visitors, surveillance cameras, alarm systems, and limiting building access.

  • Biometrics or access cards in restricted areas

Restricted areas such as server rooms where data can be accessed and stolen must require biometrics access or access card privileges.

  • Privacy of workstations

While it may be challenging to ensure the privacy of workstations in an open-office setup, this can be done through measures such as strategic positioning of monitors and setting up cabinets with locks. Also, employees who work on highly confidential information can be stationed in a more secure space with limited access.

  • Proper disposal

Paperwork and devices containing personal data must be disposed of securely such that they can no longer be retrieved by unauthorized persons intentionally or unintentionally.

Technical Measures

Measures and controls can also be implemented on the technological aspect such as the devices, networks, and systems used within the organization. Some of the most common technical measures that can protect your data against breaches include:

  • Encryption

Encryption algorithms and keys can be used to protect the connections through which the data flows and where it is stored.

  • Cybersecurity

Firewalls, anti-virus protection, and malware scans are the most basic, yet effective, technical security measures to combat cyber attacks.

  • Passwords

Passwords are always a part of any information security strategy. Strong passwords must be set on PCs and other devices, and documents containing confidential information must be password protected.

  • Access rights

Access to databases that contain sensitive data must be granted on a need-to-know basis. It is not recommended to grant general access to all employees for such databases.

  • Regular monitoring

Monitoring for security breaches on a regular basis is the best practice. This can be performed through innovative tools combined with the expertise of the data breach management team.

Implement Data Privacy and Security Measures With Confidence

Get access to ECCI’s Data Security capabilities or start a conversation with one of our expert consultants. We help organizations manage their information security risk through industry best practices and technology solutions. Contact us today to learn more!


Related Posts

Leave a Reply