THE 28th of January is International Data Privacy Day. It was created to increase awareness and promote privacy and data protection best practices.

In the Philippines, in our own journey to data privacy, we are into the last two months for complying with the Data Privacy Act (RA 10173). Originally set for September 2017, the date for compliance with Phase II has been extended to March 8, 2018, and March 31 for submitting the Annual Incident Report.

If this was a basketball game, we are down to the ‘last two minutes’ and from the looks of it, “non-compliance” has a big lead. In this waning moments of the game, less of the strategy and more one-on-one plays ensue. Some folks are asking me, what now? Since a whole lot of them are still in the midst of gathering information to create the required documentation, should they change priorities and act on the most important requirements first? If yes, which ones?

Okay but first, a disclaimer. The suggestions here are all my own and are not endorsed by any organization or government agency; it might not even be best practice! So, read on and please apply with discretion.

Say, somebody needs urgent medical attention and the hospital is quite some way off, you call Emergency Services and they perform an initial diagnosis and apply first aid while taking the patient to the hospital for treatment.

Well, that’s where we are now – we need to perform some data privacy stop-gap measures and continue the paper work after. That way we have some semblance of protection to lessen the threats against breaches or leakage of personal information.

First and foremost – start on the measures that will guarantee the rights of the data owner by providing a facility for them to be able to be informed, object, access, rectify, erase or block, request for copy (in any format) of their personal information. How? You start off with publishing the contact information of the Individual or group who is in charge of all data privacy concerns of the organization. It’s as simple as putting it in the website or email signatures. That way they can file all their requests for access, rectification, erasure/blocking, and copies using the normal communication channels. Bonus if you can have a page on your website with a form that they can fill up. Extra points if there is an additional facility to allow them to follow up or check the status of their request. For information – email or snail mail will suffice. Important! Don’t forget to put up your Privacy Notice either in your website or in any and all of the forms that requests for personal information. You can put the contact info there as well.

If you noticed, rights to damages and to complain are not in there as this should be directed to the National Privacy Commission.

Second – Provide and enforce appropriate security measures for each stage of the personal data lifecycle. Note that security measures can be in the form of physical and electronic security. If you have personal data in paper documents, a strong and secured storage facility (safe, metal cabinet with lock and key) plus a proper accounting and logging process will do. Lock ‘em up and sign the logbook). Bonus points – close circuit TV (CCTV) monitoring. This applies to both the storage and use of physical documents. Create and maintain an approval process of using, sharing, and storing personal information. Manual forms can be used and in the absence of any application or tools, email is a good temporary way of requesting, approving and storing requests.

For securing personal data which is in electronic form (i.e. word processing files and spreadsheets), there is a vast selection of free and open source software (FOSS) that can be downloaded and used to provide strong encryption to such files. Encryption is key and the best protection against theft of computers or laptop with personal data. They might be able to get their hands on them, but with strong encryption applied to these – the data will be useless. By the way, do not rely on the built-in encryption of word processing and spreadsheet applications. They are weak and can easily be cracked. As much as practically possible, encrypt the entire hard drive or the partition where the personal data is stored.

For destruction of data which are not needed anymore, burn or shred physical documents and just like in encryption, a myriad of free and open source software is available to overwrite data in hard disks using military grade methods to render it unreadable.

You would also need to document all these actions and security measures in your Privacy Notice along with the declaration that your organization adheres to the guiding principles of transparency, legitimate purpose, and proportionality as well as to the principles of collection, processing, retention, data sharing, and processing. It will also be extremely helpful to communicate this internally within the organization via policy or inter-office memo from the duly designated data privacy officer, or DPO.

Again, please be reminded that these are stopgap, first-aid, last minute one-on-one plays that you can do while you finish off the other compliance requirements. This is what I would do if I am really cutting it too close, because some amount of compliance/protection is surely better than nothing at all.