Sunday, June 23, 2024

NPC warns late registrants may face privacy compliance checks

Public and private companies that failed to beat the September 9 deadline for the registration of their data processing systems starting with the registration of their Data Protection Officer (DPO) could face compliance checks, the National Privacy Commission (NPC) warned.

NPC chair Raymund Liboro (center, standing) is seen assisting NPC staff collecting Data Protection Officer (DPO) registration and supporting documents on the eve of the deadline (September 8, 2017) of the registration of DPOs
NPC chair Raymund Liboro (center, standing) is seen assisting NPC staff collecting Data Protection Officer (DPO) registration and supporting documents on the eve of the deadline (September 8, 2017) of the registration of DPOs

Since September 9 fell on a Saturday, a non-working day, the deadline automatically moves to the next working day, on Monday of September 11, 2017, the agency said.

?Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act,? said NPC chair Raymund Liboro.

?For one thing, in case an organization suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence,? Liboro added.

?We will continue accepting DPO registration papers from controllers and processors even after the Monday deadline but such will be considered ?late registrants?, and included in the list of priority organizations for a data privacy compliance check,? Liboro said.

A compliance check by the NPC means an organization will be subjected to a comprehensive compliance validation process based on 10 critical aspects of accountability, which the NPC has termed as the Data Governance Framework.

The compliance check involves interviews, operations inspection, documents analysis, and pertinent activities intended to appraise the organization?s culture of privacy.

Several conglomerates have registered their DPOs with the NPC, among them belonging to local conglomerates such as the Ayala and SM Group.

One of the first companies that was able to comply with the designation and registration of a DPO was Philippine National Bank, one of the companies under the Lucio Tan Group, which submitted their registration as early as May this year.

According to Roland Oscuro, DPO of PNB: ?In our industry, the protection of personal data is essential in maintaining the trust of our customers, as well as improving market position. Our long term goal is to develop a culture of privacy within our organization that we hope our employees can take home and share with their family and friends.?

Unionbank, another banking institution that has complied with the Data Privacy Act, has also complied with the law. According to Henry Aguda, DPO of Unionbank: ?Data privacy is the proxy for trust in the information age. Together with the appropriate information security, privacy, as an organizational mindset, paves the way for responsible innovation in both online and onsite banking services.”

In case the NPC finds an organization wanting, Liboro said the privacy compliance check could lead to the issuance of a Compliance Order, which enforces specific actions to be performed by the company within a time period.

In case the organization did not follow through satisfactorily, it will trigger a formal investigation that could possibly result in prosecution.

In an effort to give organizations ample time to comply, the commission has earlier divided the registration process into two phases and extended the deadline for the more rigorous second phase to March 8, 2018. The first phase, however, which essentially consists of a DPO registration, is not subject to an extension.

?Much as we may want an extension, we are compelled by law to strictly enforce the September 9 deadline for organizations to register their data processing system, which is exactly one year following the date of effectivity of the IRR (implementing rules and regulations). We understand privacy compliance is something new and we?ve made it easier by dividing it into phases, so that phase one is just all about DPO registration. We cannot, however, be lenient about the deadline itself,? Liboro said.

Section 47 of the IRR of the Data Privacy Act of 2012 requires personal information controller (PIC) or personal information processor (PIP) that employs 250 persons or more to register their information processing system with the NPC.

Those that employ fewer than 250 persons are also required to register if their operations involve the processing of personal data that may likely pose a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing includes sensitive personal information of at least one thousand (1,000) individuals.


- Advertisement -spot_img




- Advertisement -spot_img