WITH the deadline for compliance with RA 10173 (or the Data Privacy Act of 2012) looming in the horizon, it seems that most of the organizations that I have spoken with that fall under the “more than 250 employees or processes more than 1,000 personal information” rule, will not make it.
Let’s face it, come the hard deadline of September 9, 2017, many will be found wanting. It is just too short a time. But let us qualify that, shall we? The law was signed August 15, 2012 and became effective September 8 of the same year. For those who are wondering, even when the National Privacy Commission (NPC) was still non-existent and consequently, the implementing rules and regulations (IRR) as well, the law did become valid and executable. In fact, in the now (in)famous ‘ComeLeak’, this was one of the major arguments of the defense.
It is not the date of effectivity of the law that’s a problem, it is the delayed awakening of public consciousness. The government waited too long to create the NPC, the consequence of which is the delayed IRR and most significantly, the awareness. In fact, despite its profoundly negative effect, if it were not for the data leak incident at the Comelec and the corresponding judgment rendered by the NPC that jolted everyone and catapulted the Data Privacy Act (DPA) into the priority list of all major organizations, awareness would not have reached this level. Nothing like the fear of imprisonment to jolt our senses.
It is only now, thanks largely to the efforts of the men and women of the National Privacy Commission (and in part to Comelec) that we have been made aware of how important data privacy is and how it can affect our very lives. For too long, we have been very nonchalant about our private information; maybe it’s our culture of being very sociable or that we really just take privacy for granted. But one thing is certain, If you do not take good care of your personal information, your life can be a living hell. Just search the Internet to convince yourself that attacks on the personal level is happening. Not just outside but in our very own Pilipinas. The Data Privacy Act bestows on us the rights that were sorely lacking in the past, and furthermore, provides the necessary controls over those to whom we entrust our personal information.
The usual joke floating around is that this is akin to the scenario of you forgetting about your driver’s license and proceeding to drive. Unless you have an accident, everything is fine and dandy. We don’t want to have to go there. Remember that the NPC is a quasi-judicial body that can subpoena/audit, adjudicate and release their findings to the public as they deem appropriate. For an organization that thrives in a business where reputation is paramount, a single bad press release could spell doom. Did I mention that the NPC can also issue a cease-and-desist order? Operation nightmare right there. Business implications abound. Say, you are an insurance company or a medical health provider, what do you say to your clients if the competition is compliant and you are not? It now implies that you do not put importance on their privacy like the other company does. Arguably a big factor in the customers’ decision-making process.
It is a given that many organizations that have just barely started their data privacy compliance efforts will not be compliant by September 9. We also know that despite the enormous stride and effort that the NPC has poured into its work since its inception, it does not have the capacity to audit each and every organization in the country. Here are some of the more frequent questions that persist in almost all of the forums that I have attended regarding the DPA:
Can the deadline be extended? Who will be audited first? Who should be the Data Privacy Officer (DPO)? Can we outsource the DPO? Personally, and although the NPC has talked about this a lot, I think they should put this out in their FAQs. By the way, the last two questions actually stem from the fact that very few people in the organization wants to take on the role. Jail time? Who are we kidding? “I’m not being paid enough to take on that responsibility on top of everything else I’m doing.”
I believe that even though full compliance is still far away for most organizations, showing that there is a deliberate and conscious effort to comply (read: budget) goes a long way in the eyes of the NPC. It is a very daunting task indeed and for those who are worried sick, you can take comfort in the fact that there are still a lot of organizations which do not even know where to start. Overheard from a table at a conference – “What can they do? Put us all in jail?”
The NPC has churned so many excellent documents and guidelines, all it takes is more effort on our part. When we put in the time to understand these, we will be well on our way. The NPC has reached out to the max and I have nothing but high praise for its people. Remember though that, just like other government agencies, they have their limitations and only in supporting them can we all help preserve the sanctity and privacy of personal information.