DATA PRIVACY MANAGEMENT SERVICES
Complying with the Philippines DATA PRIVACY ACT of 2012
The Data Privacy Act (DPA) of 2012 – Republic Act No. 10173 – was signed into law on August 15, 2012. The law created the National Privacy Commission (NPC) as a regulator agency and independent quasi-judicial body attached to the Department of Information and Communications Technology (DICT). The NPC has issued comprehensive Implementing Rules and Regulations (IRR) as well as a series of NPC Advisories.
Scope of DPA
The DPA protects and regulates personal information, which broadly speaking means any information that can either directly or indirectly, when combined with other information, identify an individual The DPA mandates certain compliance duties on Personal Information Controllers (PIC) and Personal Information Processors (PIP). DPA also governs the rights of data subjects to their personal information and the obligations of PIC/Ps necessary to protect them.
Summary of Engagement Phases
PHASE 1: Data Privacy Orientation and Training
It is important that senior and middle management understand the requirements of the Data Privacy Act and are committed to its proper implementation. This initial phase of the engagement consists of the following:
- Orientation sessions on Privacy and the Data Privacy Law, highlighting key elements of the law, compliance model, and high-level review of the Privacy Management Program.
- Session for Senior Management (duration: 2- 3 hours, a breakfast meeting)
- Session for Middle-Level Management or Department Heads (duration: 3 hours)
- Training sessions for Data Compliance Teams (duration: 2 days)
- Certification Training for Data Privacy Officers (duration: 5 days)
PHASE 2: Privacy Management Program (PMP)
The Privacy Management Program has been designed to bring the organization into compliance with the DPA and its IRRs and Advisories. The program consists of the “Five Pillars” of data privacy accountability and compliance, as defined and prescribed by the NPC.
PHASE 3: Maintenance of Compliance & Annual Reporting
It is important to stay current and informed in the constantly changing regulatory environment. The DPA requires regular updates of impact assessments, policies and procedures, risk mitigation measures. An annual report to DPC is also required.