A Brief Guide to

Data Privacy Compliance

by former DPC Dondi Mapa
(email dmapa@outlook.com for a copy of the slides)
Why comply?

01 02 03 04
LEGAL ETHICAL SAFETY PRACTICAL
01 Legal

Philippine Data Privacy Act of IRRs

Constitution of 1987 2012 (promulgated 2016)

2016 Series
Circular 16-01 Circular 16-02 Circular 16-03 Circular 16-04
Gov’t Agencies Data Sharing Breach Mgmt Rules Procedure

2017 Series
Advisory 17-01 Advisory 17-02 Advisory 17-03 Circular 17-01
DPO Guidelines PDS Guidelines PIA Guidelines Registration
02 Ethical

Right to be Right to Right to Right to data

informed object access portability

Right to Right to Right to file a Right to be

correct block/remove complaint indemnified

“Our rights as data subjects…”

from Sections 16-18 of RA 10173, the Data Privacy Act of 2012
03 Safety

“ The Data Privacy Act is the safety belt

for organizations that are moving into
the world of digital transformation
and data monetization.
- Dondi Mapa
”
Loss of Market
Job Loss Fines Bankruptcy Jail
Value
04 Practical
“
In today’s data-driven economy,
privacy has become the proxy for trust:
if you respect my privacy then I will trust
you, and if I trust you then I will do
business with you.
- former DPC Dondi Mapa
”
So…you haven’t What’s the worst
complied. that could happen?
Section 7.b
The National Privacy Commission has the power to…
• receive complaints,
• institute investigations,
• facilitate or enable settlement of complaints through the
use of alternative dispute resolution processes,
• adjudicate,
• award indemnity on matters affecting any personal
information,
• prepare reports on disposition of complaints and resolution
of any investigation it initiates, and,
• in cases it deems appropriate, publicize any such report.
Events that may trigger
a data privacy investigation by the NPC

01 02 03 04
Complaint Report from Own Random
from a data a whistle Initiative audit
subject blower

The rules for

complaints handling
are contained in NPC NPC does not reward May be based on a
Sectoral
Circular 16-04, whistle blowers. news article
“Rules of Procedure
of the NPC”.
Nature Of
Complaints
received by
NPC as of
30 June 2017
Complaints & Investigation Process

1. Data Subject submits written

complaint to your organization.

4. After conducting its

investigation, the NPC may:
- Dismiss the case
- Send it to arbitration
- Find for complainant

Note: Findings are subject to

appeal, which must be filed
within 15 days.
If the complaint is upheld
The National Privacy Commission may…
• Issue cease and desist orders, impose a temporary or permanent
ban on the processing of personal information, upon finding that
the processing will be detrimental to national security and public
interest (Sec. 7.c)
• Compel or petition any entity, government agency or
instrumentality to abide by its orders or take action on a matter
affecting data privacy (Sec. 7.d)
• Recommend to the Department of Justice the prosecution and
imposition of penalties specified in this Act (Sec. 7.i)

Compliance Ban on
Damages Publication Prosecution
Order Processing
Who is liable?
 Sec.22. The head of each government agency or
instrumentality shall be responsible for complying with
the security requirements mentioned herein…

 Sec.34. Extent of Liability. If the offender is a

corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as
the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime.
Section Punishable Act Jail Term Fine (Pesos)

25 Unauthorized processing 1y to 3y ꟷ 3y to 6y 500k to 4m

26 Access due to negligence 1y to 3y ꟷ 3y to 6y 500k to 4m

27 Improper disposal 6m to 2y ꟷ 3y to 6y 100k to 1m

28 Unauthorized purposes 18m to 5y ꟷ 2y to 7y 500k to 2m

29 Intentional breach 1y to 3y 500k to 2m

30 Concealment of breach 18m to 5y 500k to 1m

31 Malicious disclosure 18m to 5y 500k to 1m

32 Unauthorized disclosure 1y to 3y ꟷ 3y to 5y 500k to 2m

33 Combination of acts 3y to 6y 1m to 5m
 Ok…I’m convinced.

So how do we comply?
 The Obligations which
must be complied with

Data Privacy Act of IRRs

2012 (promulgated 2016)

2016 Series
Circular 16-01 Circular 16-02 Circular 16-03 Circular 16-04
Gov’t Agencies Data Sharing Breach Mgmt Rules Procedure

2017 Series
Advisory 17-01 Advisory 17-02 Advisory 17-03 Circular 17-01
DPO Guidelines PDS Guidelines PIA Guidelines Registration
Step 1: Appoint a Data Protection Officer
 DPA Section 21 (b). Enforcement of the Data Privacy Act.
“The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act.”

From https://privacy.gov.ph/advisories/
What does a Data Protection Officer do?
a. Monitor compliance
b. Ensure conduct of PIAs
c. Ensure data subjects’ rights are respected
d. Ensure proper breach management
e. Cultivate internal awareness on data privacy
f. Advocate a privacy-by-design approach
g. Serve as contact person for privacy matters
h. Serve as conduit with the NPC
i. Perform other duties as may be assigned

*See NPC Advisory 2017-01, pp. 6-7

What does a Compliance Officer for Privacy do?
a. Monitor compliance
b. Ensure conduct of PIAs
c. Ensure data subjects’ rights are respected
d. Ensure proper breach management
e. Cultivate internal awareness on data privacy
f. Advocate a privacy-by-design approach
g. Serve as contact person for privacy matters
h. Serve as conduit with the NPC
i. Perform other duties as may be assigned

*See NPC Advisory 2017-01, pp. 6-7

DPO or COP? And other FAQs
Can a company have multiple DPOs?

▪ Yes, but only the lead DPO should be listed in the registration.

Can one DPO handle multiple companies?

▪ Possible, if the DPO is an employee of all those companies.

▪ Multiple registrations are required, one per company.

What are COPs for?

▪ To assist the DPO in covering large or remote sites.

▪ For subsidiaries that are “closely bound”.
▪ In either case, the DPO must agree in writing to supervise the COP.

Can the DPO’s functions be outsourced?

▪ The functions, yes. But not the role.

Step 2: Conduct a Privacy Impact Assessment
 DPA Section 20 (c). The determination of the appropriate level of security
under this section must take into account the nature of the personal
information to be protected, the risks represented by the processing, the
size of the organization and complexity of its operations, current data
privacy best practices and the cost of security implementation.”

From https://privacy.gov.ph/advisories/
PR / B * C = IA
Program, Privacy Impact
Process, or Benefit Controls
Measure Risk Assessment

X.1 High Low Unacceptable

X.2 Medium Medium High Unreasonable

X.3 Low High Low Acceptable

X.25 High
Medium High
High ?
Medium ?
Acceptable
Step 3: Create Privacy Management Framework

I. GOVERNANCE II. RISK ASSESSMENT III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY

VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM
Step 4: Implement Privacy & Data
Protection Measures
 SEC. 20 (a) The personal information controller must
implement reasonable and appropriate organizational,
physical and technical measures intended for the
protection of personal information against any accidental
or unlawful destruction, alteration and disclosure, as well
as against any other unlawful processing.

 Guard against: Destruction, Alteration, Disclosure

 Objective/Goal: Availability, Integrity, Confidentiality (CIA)
 Measures: Organizational, Physical, Technical
Step 5: Breach Reporting Procedures
 IRR Section 38 (a) Data Breach Notification. The Commission and
affected data subjects shall be notified by the PIC within seventy-two (72)
hours upon knowledge of, or when there is reasonable belief by the PIC or
PIP that, a personal data breach requiring notification has occurred.

From https://privacy.gov.ph/memorandum-circulars/
When is notification required?
Circular 16-03, Section 11

01 02 03
The personal data There is reason to The unauthorized
involves sensitive believe that the acquisition is likely
information, or any information may to give rise to a
other information have been real risk of serious
that may be used acquired by an harm to any
to enable identity unauthorized affected data
fraud. person. subject.
Consequence of Non-notification
DPA Section 30. “Concealment of Security Breaches
Involving Sensitive Personal Information. The penalty
of imprisonment of one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than
One million pesos (Php1,000,000.00) shall be imposed
on persons who, after having knowledge of a security
breach and of the obligation to notify the Commission
pursuant to Section 20(f), intentionally or by omission
conceals the fact of such security breach.”
Step 6: Registration with the NPC
 IRR Section 46. Enforcement of the Data Privacy Act. Pursuant to
the mandate of the Commission to administer and implement the Act,
and to ensure the compliance of personal information controllers with
its obligations under the law, the Commission requires the following:
(a) registration of personal data processing systems operating in the
country.

From https://privacy.gov.ph/memorandum-circulars/
Mandatory registration with the NPC if…

You have at least 250 employees

You handle at least 1,000 records involving sensitive personal information

Your processing systems involve automated decision-making using PI/SPI

You belong to (or provide service to) one of these sectors

Government Education Insurance & Brokers

Banking and NFIs Hospitals / Clinics Pre-need

Telecom and ISPs Genetics Direct Marketing

BPOs Pharmaceuticals Loyalty Programs

Summary: “Evidences” of Compliance
Top Management
Certificate of Control Frameworks
Support Privacy Impact
Registration (and field test
(in memos, meeting Assessments
(issued by the NPC) results)
minutes, etc.)

Respect for rights of

Breach Management Privacy Policies, data subjects
Third-party
Manual Manual (and proof of (consent form,
contracts
(and drill results) inception) access procedures,
etc.)

Data privacy
Complaints handling
governance
process (and
(structure, SOPs and
tracking stats)
cadence)
That’s a lot to do! Where to start?
A Phased Approach

Phase 1: Gap Benefits: Proper Scope,

Analysis Organizational Alignment

Phase 2: Close Choose the Right Partner

the Gaps for each Gap

Phase 3:
Certify Independent, Third-party Assessment
Compliance
What’s your risk level?
Let’s Score!
Count the number of “T” and “D”.
You get 5 points for every “T”.
You get 5 points for every “D”.

45-
0-40 75+
70
The higher the score, the sooner you should…

Conduct Top Establish Breach

Perform Gap Register
Management Appoint a DPO team, policy,
Analysis (Phase 1) with the NPC
Briefing procedures

Review/revise
Conduct PIAs for Review/revise Review/revise Review/revise
data sharing
high impact touchpoints with service provider Privacy and Data
agreements (if
processes data subjects contracts (if any) Protection Policies
any)

Initiate change Formalize the

Work on other
Deploy controls management data governance
processes that
identified in PIA efforts to cascade organization and
haven’t had PIAs
PDP policies cadence
Sample Agenda for an Executive Briefing
Start End Module Topic
9:00 9:30 1 Introduction: The Phased Approach
9:30 10:15 2 The Case for Compliance
10:30 11:30 3 The Cost of Non-Compliance
11:30 12:00 4 What Legal Compliance Looks Like
1:00 1:30 5 What Operational Compliance Looks Like
1:30 2:00 6 The Need for a DPO
2:00 2:45 7 Forming the Breach Team
2:45 3:45 8 How to do a Privacy Impact Assessment
3:45 4:15 9 Exposing Data to Third Parties
4:15 4:45 10 Deadlines and Timelines
4:45 5:00 11 Closing: The Way Forward
Dates and Deadlines to Remember
March 8, 2018 and every March 8 thereafter

▪ See NPC Circular 17-01 (Registration of Data Processing Systems)

72 hours for breach notification

▪ See NPC Circular 16-03, Personal Data Breach Management

Annual Incident Report

▪ See Implementing Rules and Regulations of the Data Privacy Act, Sec. 41.b

Every week of August 15th

▪ Privacy Awareness Week

As Needed

▪ Review if any PIAs need to be updated.

▪ Conduct breach drills, business continuity drills, vulnerability testing.
Compliance is a journey

Compliance

Capacity to Comply

Commitment to Comply
Thank You!

Dondi Mapa
dmapa@outlook.com