As the ‘ber’ months officially kick in, I start hearing over the radio my all-time favorite Christmas in Our Hearts by Jose Mari Chan. This means that the Christmas season is here! Some people are beginning to feel nostalgic while others are already in a holiday mood. One can’t help but become very excited with the various promotions that come with the Christmas season. Some stores would ask for the customer’s personal data to qualify for these promotions.
Incidentally, the National Privacy Commission (NPC), being the government agency mandated to administer and implement the Data Privacy Act of 2012, has set September 9, 2017 as the deadline for the registration of companies’ appointed Data Protection Officers (DPOs). Most organizations, particularly on this day, are scrambling on their way to the privacy commission’s office to beat the DPO registration deadline, adding to the horrible Friday traffic.
There is much hype about the DPO appointment and registration, for a very good reason. The DPO is the individual who shall be held accountable for ensuring compliance with applicable laws and regulations. He has a tall order to keep his organization away from data breaches and related controversies that can cause great damage to the business’s reputation and penalties that may be imposed by the privacy commission.
As a cybersecurity and privacy professional, I’m one of those who rally behind the NPC’s efforts in carrying out their mandate to implement the law. As a data subject, it gives me peace of mind. It is my expectation that qualified organizations will stay true to their commitment, i.e. to protect my personal data. Obviously, I don’t want to be part of the identity theft statistics.
With the Data Privacy Law, people would have some responsibility in educating themselves about giving away their data and the implications of their choices. For example, a person seeing a specialist physician will benefit from disclosing detailed personal information related to their health and fitness, compared with signing up at a new gym, which should not require nearly as much disclosure as a medical appointment.
While some of the organizations find the Data Privacy Law a burden due to the cost of compliance, it’s a welcome development for others as it could support their security and governance agenda.
Another thing that comes to mind is PwC’s core value of “putting yourself in the other person’s shoes.” It is like applying the “reverse lens” approach – one would hope that organizations possess an adequate level of control consciousness and high level of commitment that they can protect the processing of their data subjects’ personal data and continuously live up to that expectation.
Before everyone gets into the holiday rush, organizations can consider the following pointers for data privacy compliance:
Avoid over-collection of data
Some organizations tend to collect from their customers or employees personal information that’s more than the necessary. Consider narrowing the collection of personal data. Carefully consider the kind of information being collected about customers, employees, and other parties — how it relates to their individual interactions, and assess if the benefit of collection outweighs the risk.
Re-assess the file retention policy
Filipinos have a bad habit of collecting almost everything that come their way, even if they don’t know what purpose the collected personal information will serve, or worse, whether they would use it at all. For example, personal records of employees who have resigned more than a decade ago remain to be in the archived file, apparently for future reference. Minimize your risk exposures by limiting the personal data in your systems.
Intensify privacy awareness campaigns
People remain to be the weakest link when it comes to information security, and the same applies to data privacy. Aim to develop a sustainable privacy awareness program to cultivate a control-conscious environment.
Encourage customers and employees to think very carefully about the information they provide. For example, the human resource personnel should know what to do with the applicant’s résumé if the organization decides not to proceed with the job offer.
Honor your commitments
When executives talk and emphasize privacy, organization-wide awareness improves and so does the customer experience. It also means building privacy practices and controls into business processes that collect, use, or disclose data, so that these commitments become a part of the way the organization operates.
For the rest of the ‘ber’ months, there are other specific steps that organizations will need to do and consider in preparation for registering data processing systems from January 2018 to March 8, 2018. Organizations will increasingly need to address regulators’ concerns about data privacy. I know that we still have a long way to go before the country reaches the mature state of data privacy compliance. Nonetheless, I remain optimistic that we, as a country, will remain steadfast in making this happen because it is the right thing to do.
Rosell S. Gomez is a risk assurance partner, and lead partner for Global Technology Solutions of Isla Lipana & Co./PwC Philippines. Email your comments and questions to firstname.lastname@example.org. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
ROSELL S. GOMEZ