BPOs need to adjust to stricter EU, Asian privacy rules: NPC

By Paolo Julian

In order to sustain its growth, the local business process outsourcing or BPO industry needs to adjust to stricter European Union (EU) and Asian regulations.

NPC chair Raymund E. Liboro (right) with CCAP president Jojo Uligan at Data Privacy Asia

NPC chair Raymund E. Liboro (right) with CCAP president Jojo Uligan at Data Privacy Asia

National Privacy Commission (NPC) chair Raymund E. Liboro made this pronouncement at the Data Privacy Asia conference organized by the Contact Center Association of the Philippines (CCAP) in partnership with Data Privacy Asia Pte. Ltd. of Singapore.

The EU’s new General Data Protection Regulation takes effect in May next year. Under stricter EU regulations, a data processor faces legal obligations in security, record-keeping, and cross-border transfers. Depending on the breach, sanctions could go as high as 4 percent of a company’s annual turnover.

“The EU regulation would require any country to attain ‘adequacy’ status first before being allowed to process EU citizen’s data outside Europe,” Liboro said.

Singapore and Malaysia have also enacted comprehensive data privacy laws patterned after the European model.

Japan, which prides itself as having one of the oldest privacy laws in Asia, recently amended its Personal Information Protection Act. It stipulates prior consent of a data subject if the country to which the information is being transferred to does not have a system for protecting personal data that is equivalent to that of Japan’s.

Liboro said it makes sense for BPO companies to ensure the confidentiality of information so it won’t lose clients.

“As the BPO industry multiplies its contributions and gains greater momentum, so do the risks to personal information increase, and so does the potential for loss in consumer confidence and trust,” Liboro said. “In other words, the stakes are higher now because the potential for harm is exponentially greater.”

He urged Personal Information Controllers or PICs and Personal Information Processors (PIPs) to comply with general data privacy principles.

PICs are responsible for data, including information that have been transferred to a third party. PICs may outsource the processing of personal data from Personal Information Processors or PIPs.

A BPO company may be classified as a Personal Information Processor, its services outsourced by a principal or a client to process data on their behalf.

“The PIC and PIP should always uphold the rights of the data subjects, and provide adequate means for them to assert these rights,” Liboro said.

“PICs and PIPs shall implement reasonable and appropriate security measures for the protection of personal data. The security measures shall aim to maintain the availability, integrity, and confidentiality of personal data and are intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.”

As a personal data processor, BPOs are required to adhere to these rules, Liboro pointed out. “For the longest time, organizations like yours have invested in information security,” Liboro said. “You have put in place measures to keep the bad guys from coming in.”

Comment on this post