Blog | What Filipinos must know about Data Privacy Act and GDPR

By Sumit Bansal

In this day and age, data is the new currency as the digital economy thrives on acquired, stored, and processed information. Businesses use data to tailor fit services and products to their customers, which has ushered in more efficient interactions and profitable transactions.

If the good guys can have all that information at their fingertips, cybercriminals can illegally obtain it as well through malware, which has become more sophisticated and technologically advanced.

Malware goes modern

Gone are the days when malware came in the form of viruses, worms, and Trojan horses that simply paralyzed computers. Nowadays, companies and individuals are encountering more cases of data breaches, ransomware, and cryptojacking.

Data breaches are confirmed incidents where sensitive personal data get accessed without authorization. Ransomware, on the other hand, refers to malware that encrypts users’ data and asks for payment in exchange for regaining access to one’s data. Cryptojacking is the unauthorized usage of one’s computer in order to satisfy the power requirement needed in the mining of cryptocurrency, a form of digital currency which uses encryption techniques to regulate its generation and transfer.

Recent cases of advanced malware being deployed on a much larger scale include the 2016 Uber data breach reported last year that affected 171,000 users in the Philippines, and the 2017 WannaCry ransomware attack, a worldwide cyberattack that affected Microsoft Windows users and demanded payment in the form of Bitcoin.

In fact, the National Privacy Commission (NPC) has received 57 data breach notifications since January this year. The NPC ordered fast-food giant Jollibee Foods Corp. to suspend its online delivery services and implement stronger website security measures as a result of a data breach reported by the company in December 2017, while another fast-food chain in Philippines, Wendy’s was required to formally inform customers about its own breach after its website was infiltrated and personal data of users were obtained and published online.

Data regulation and protection

In order to protect users’ privacy and prevent cybercrime, legislative measures both locally and globally have been enacted to prohibit the access, collection, usage, or release, of data without expressed consent.

Republic Act (RA) 10173, more commonly known as the Data Privacy Act of 2012 in the Philippines, balances the protection of the fundamental right to privacy and ensures the free flow of information to promote innovation and growth. Furthermore, the State shall ensure that personal information collected by the government and the private sector are secured and protected. Under RA 10173, the NPC was created to serve as the enforcer and overseer of the Act.

Penalties under the Data Privacy Act include imprisonment from one to three years and a fine from P500,000 to P2,000,000, whether the acts of breaching or unauthorized access in general are intentional or out of negligence.

The European Union (EU), on the other hand, has enforced the General Data Protection Regulation (GDPR) this year, a major step in digital privacy, which aims to strengthen laws on data protection, giving citizens control over their personal data, while emphasizing the ideas of freedom, security, and equality.

Depending on the outcome of regulators’ investigations, penalties under GDPR can reach up to €20 million or 4 percent of the company’s worldwide annual revenue for the previous fiscal year, whichever is higher.

Both were based on the principles enshrined in the European Parliament’s Data Protection Directive (DPD), which accounts for the laws’ many similarities, making understanding and compliance easier for many Philippine organizations.

Both mandate that incidents of data breaches must be reported within 72 hours of discovery.

What these laws mean for Philippine organizations

Organizations in the Philippines should take note that the EU’s GDPR has extraterritorial effect, which requires compliance even if they do not have operations in the EU. As long as they have goods or services that target or monitor the behavior of individuals in EU countries, they will be liable under the GDPR.

The NPC has issued recommendations for Philippine organizations in the public and private sectors to ensure compliance to data privacy laws, which include,

  • The appointment of a data protection or compliance officer
  • The conduct of a privacy impact assessment on the organization to understand current vulnerabilities
  • The creation of a privacy management program or security manual to align management and employees of every rank
  • The implementation and updating of data privacy and protection measures, and
  • The preparation and beefing up of security to prevent or respond to data breaches.

With how the threat landscape has evolved and advanced, organizations should ensure their solutions and protocols offer equally advanced protection. Combining predictive technologies and synchronized security can help them stay ahead. These should be considered as investments not just in data security and privacy, but also in business productivity and efficiency, as well as protection from litigation and compliance issues.

The author is the managing director of Asean and Korea at Sophos

Comment on this post