In a recent briefing, NPC policy review division chief Vida Zora Bocar said the agency has come out with the guidelines on checking for compliance after issuing NPC Circular No. 18-02 in September.
Bocar mentioned that the NPC will prioritize the monitoring of sectors where personal data gathering and processing are critical such as schools and banks.
She explained that there are three modes of compliance checks, which include privacy sweep, documents submission, and on-site visits.
The privacy sweep mode reviews the compliance of a Personal Information Controller (PIC) or Personal Information Processor (PIP) to their obligation under the Data Privacy Act and related issuances based on publicly available and accessible information.
Bocar said there are nearly 200 PICs or PIPs subject to privacy sweep.
The second mode is documents submission, wherein NPC may require the submission of documents and additional information from a PIC or PIP that has undergone a privacy sweep.
Bocar noted that there are also PICs or PIPs that will be subject to documents submission for 2019.
On-site visit, on the other hand, will be done by NPC if there are persistent findings of non-compliance with the obligations in the Data Privacy Act.
Meanwhile, the NPC recently piloted the ACE Data Protection Officer (DPO) Program. ACE stands for accountability, compliance, and ethics.
Bocar said 60 DPOs from both public and private sectors comprised the pioneer batch for the ACE DPO Program.
The ACE DPO Program is a ladderized development program for DPOs. The topics under the program include managing breaches, establishing and administering a Privacy Management Program, conducting a Privacy Impact Assessment, and NPC?s Compliance and Accountability Framework.
The agency aims to roll out the program in other regions in the country next year. — Kris Crismundo (PNA)]]>