The National Privacy Commission (NPC) launched on Wednesday, Nov. 10, the Philippine Privacy Trust Mark (PPTM), which aims to increase trust and confidence in businesses and public offices as the mark offers the highest level of assurance on data privacy compliance and secure cross-border data transfers.
“Our launch today of PPTM comes at an opportune time as we aim to fully embrace digitalization for our economic recovery. This won’t be achieved without strengthening the foundation of trust in every action and transaction we make online,” NPC chair Raymund E. Liboro said.
Liboro urged all personal information controllers (PICs) and personal information processors (PIPs) to now aim for certification as PTTM is open to all types of organizations.
PPTM also enables consumers “to make informed choices and have greater control of the personal data collected from them,” Liboro said.
“By helping data subjects identify organizations they can entrust their personal data, we are also encouraging consumers to be more data privacy-conscious and to exercise their rights more prudently,” he added.
The launch comes with the release of the full PPTM Certification Scheme guidelines, which outline the requirements and processes to gain certification, including the requirements for PICs and PIPs to establish, implement, and continually improve their management systems, an imperative to be certified.
The certification process will evaluate an organization’s demonstration of operational compliance with the Data Privacy Act through risk management and assess an organization’s demonstration of having the proper organizational, physical, and technical security measures to ensure data protection.
The guidelines also provide adequate support for cross-border data transfers, reflecting NPC’s intent to align its compliance mechanisms with global practices and standards.
“Certified PICs and PIPs can more easily integrate themselves in global value chains as they gain more clients, customers and business partners with their branding of secure privacy systems,” Liboro said.
While the mark is voluntary and only applicable to management systems, the NPC said organizations must still ensure that all identified products, services, programs, and projects adhere to the data privacy principles of legitimate purpose, transparency, and balance through the data lifecycle.
The certificates are valid for three years and may be renewed. However, those certified could still be suspended if found to “persistently” fail in meeting requirements, such as evidence of continuous improvement.
Failure to resolve an issue within six months could result in revocation of the certification. Revocation will also be applied when the certification is invalid or when a certified organization is found to have violated the terms of the audits or lack the declared requirements for its management systems.
The PPTM Certification Scheme comes with guidance for those seeking to function as bodies that will audit PIC and PIP-applicants, certify their management systems, and renew their certification.
The guidelines also outline the competence requirements and obligations in providing certification assessment for PPTM. The certification bodies recognized by the NPC must demonstrate independence throughout the certification process, which must be completed in six months upon submission of application documents and requirements.
