Академический Документы
Профессиональный Документы
Культура Документы
01 02 03 04
LEGAL ETHICAL SAFETY PRACTICAL
01 Legal
2016 Series
Circular 16-01 Circular 16-02 Circular 16-03 Circular 16-04
Gov’t Agencies Data Sharing Breach Mgmt Rules Procedure
2017 Series
Advisory 17-01 Advisory 17-02 Advisory 17-03 Circular 17-01
DPO Guidelines PDS Guidelines PIA Guidelines Registration
02 Ethical
01 02 03 04
Complaint Report from Own Random
from a data a whistle Initiative audit
subject blower
Compliance Ban on
Damages Publication Prosecution
Order Processing
Who is liable?
Sec.22. The head of each government agency or
instrumentality shall be responsible for complying with
the security requirements mentioned herein…
33 Combination of acts 3y to 6y 1m to 5m
Ok…I’m convinced.
So how do we comply?
The Obligations which
must be complied with
2016 Series
Circular 16-01 Circular 16-02 Circular 16-03 Circular 16-04
Gov’t Agencies Data Sharing Breach Mgmt Rules Procedure
2017 Series
Advisory 17-01 Advisory 17-02 Advisory 17-03 Circular 17-01
DPO Guidelines PDS Guidelines PIA Guidelines Registration
Step 1: Appoint a Data Protection Officer
DPA Section 21 (b). Enforcement of the Data Privacy Act.
“The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act.”
From https://privacy.gov.ph/advisories/
What does a Data Protection Officer do?
a. Monitor compliance
b. Ensure conduct of PIAs
c. Ensure data subjects’ rights are respected
d. Ensure proper breach management
e. Cultivate internal awareness on data privacy
f. Advocate a privacy-by-design approach
g. Serve as contact person for privacy matters
h. Serve as conduit with the NPC
i. Perform other duties as may be assigned
▪ Yes, but only the lead DPO should be listed in the registration.
From https://privacy.gov.ph/advisories/
PR / B * C = IA
Program, Privacy Impact
Process, or Benefit Controls
Measure Risk Assessment
X.25 High
Medium High
High ?
Medium ?
Acceptable
Step 3: Create Privacy Management Framework
I. GOVERNANCE II. RISK ASSESSMENT III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY
VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM
Step 4: Implement Privacy & Data
Protection Measures
SEC. 20 (a) The personal information controller must
implement reasonable and appropriate organizational,
physical and technical measures intended for the
protection of personal information against any accidental
or unlawful destruction, alteration and disclosure, as well
as against any other unlawful processing.
From https://privacy.gov.ph/memorandum-circulars/
When is notification required?
Circular 16-03, Section 11
01 02 03
The personal data There is reason to The unauthorized
involves sensitive believe that the acquisition is likely
information, or any information may to give rise to a
other information have been real risk of serious
that may be used acquired by an harm to any
to enable identity unauthorized affected data
fraud. person. subject.
Consequence of Non-notification
DPA Section 30. “Concealment of Security Breaches
Involving Sensitive Personal Information. The penalty
of imprisonment of one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than
One million pesos (Php1,000,000.00) shall be imposed
on persons who, after having knowledge of a security
breach and of the obligation to notify the Commission
pursuant to Section 20(f), intentionally or by omission
conceals the fact of such security breach.”
Step 6: Registration with the NPC
IRR Section 46. Enforcement of the Data Privacy Act. Pursuant to
the mandate of the Commission to administer and implement the Act,
and to ensure the compliance of personal information controllers with
its obligations under the law, the Commission requires the following:
(a) registration of personal data processing systems operating in the
country.
From https://privacy.gov.ph/memorandum-circulars/
Mandatory registration with the NPC if…
Data privacy
Complaints handling
governance
process (and
(structure, SOPs and
tracking stats)
cadence)
That’s a lot to do! Where to start?
A Phased Approach
Phase 3:
Certify Independent, Third-party Assessment
Compliance
What’s your risk level?
Let’s Score!
Count the number of “T” and “D”.
You get 5 points for every “T”.
You get 5 points for every “D”.
45-
0-40 75+
70
The higher the score, the sooner you should…
Review/revise
Conduct PIAs for Review/revise Review/revise Review/revise
data sharing
high impact touchpoints with service provider Privacy and Data
agreements (if
processes data subjects contracts (if any) Protection Policies
any)
▪ See Implementing Rules and Regulations of the Data Privacy Act, Sec. 41.b
As Needed
Compliance
Capacity to Comply
Commitment to Comply
Thank You!
Dondi Mapa
dmapa@outlook.com