Management Briefing on

Data Privacy Compliance

VALLE VERDE COUNTRY CLUB
Ma. Susana I. Arcan
Outline of Management
Briefing
 Where we are Now
 Current situation
 Current level of Compliance
 Where we want to Go
 Vision/Mission of Privacy Office
 How we get there
 Compliance Roadmap
Where we are now

 Current situation
 Number of data subjects:
 Number of service providers and 3rd parties:
 Possible consequences of breach:
 Current compliance level
 (baseline score based on NPC “rating tool”)
Why we should be worried
about data breaches
 Personal data can be stolen and used in identity theft
 Loss of reputation resulting in loss of share value
 Loss of competitiveness resulting in lost revenue
 Litigation
 Loss of license / authority to operate
 Shutdown of operations
 Loss of jobs
 Jail and fines

Possible monetary losses from a data breach: PhP xxxxxx

Where we want to Go:
Vision/Mission of Privacy Office

 Our company vision/mission:

 The privacy office vision/mission and how it contributes

to our overall strategy:

 Privacy objectives/goals/tactics/measures:
How we get there:
Our compliance roadmap
Establish the Breach Management
Respond to Breaches (as needed)
policy, team and procedures

Establish the data governance Initiate change management efforts to

organization and cadence cascade PDP Policies

Respond to
data subject
complaints/
Create PDIs and Conduct PIAs Deploy controls identified in PIA requests
Buy-in of Top
Management

Review/revise Review/revise Privacy and Data

privacy notices Protection (PDP) Policies Audit/
Certification

Review/revise data processing Review/revise data sharing

agreements (if any) agreements (if any)

Register Submit annual reports and

with the NPC Update registration (as needed)
List of “help needed” Items
 For example:
 Creation of a Breach Team
 Appointment of COPs
 Assigning Department Heads to:
 Conduct a PIA
 Revise privacy notices, policies, and procedures
 Review subcontracting and data sharing agreements
 Rollout revisions to affected staff
 Performing a breach drill
List of PIAs to be Prioritized &
Business Benefits of doing a PIA

 Membership Information Sheet

 Membership
 Billing
 Banquet
 Employee Application Forms
 Hired
 For active file
 Service Providers
 Resignees/Retirees
Gap Analysis Summary

 Number of PIAs that need to be conducted

 Number of Privacy Notices needed
 Number of Privacy Policies needed
 Number of Contracts affected
 Number of employees that need to be retrained
 Estimated budget needed for compliance project
Project Logistics / Next Steps

 When will you start? Do you have everything needed to

get started? If not, what else is needed?
 Who will be on your team?
 How will you measure and report progress? How often?
 How will you know you have successfully completed this
project?
Backup Slides
(Samples)
 8 Tough Questions every DPO
should always be ready to answer

1. What is our current exposure?

2. Where are we now on our compliance journey?
3. What are the consequences of doing nothing?
 What else needs to be done:
4. How much longer will it take?
5. How much more will it cost?
6. What help do you need?
7. How will we track progress?
8. How will we know we are done?
Help Needed

Top • Budget support for tools and technology for information and training activities
• Incorporating compliance into the performance parameters of those handling

Management
personal data
• Drive the message throughout the organization

Process • Own/maintain their respective privacy impact assessment

• Consult DPO on strategic projects involving the use of personal data (“privacy

Owners
by design”)
• Conduct breach drills on their respective processes

• Roll-out training on privacy and data protection

HR Team • Issue security clearances to staff processing personal data. Access to all security
clearances issued
• Implement the recommended organizational controls

• Ensure that all PIP/service provider contracts are compliant.

Legal • Ensure that all external sharing of data meets the required guidelines of the
NPC
Data Privacy Compliance Task
List for: XXX Department
1. Sign-off on Personal Data Inventory and Information Lifecycle
2. Sign-off on Privacy Impact Assessment
3. Sign-off on Privacy Notice
4. Revise Policies/Procedures/Forms which cover collection/storage of
personal data
5. Revise Policies/Procedures/Forms which cover disclosure/sharing of
personal data
6. Revise Policies/Procedures/Forms which cover retention/disposal of
personal data
7. Conduct privacy training for employees who handle personal data
8. Coordinate with HR on issuance of clearances to employees who handle
personal data
9. Roll-out revised policies/procedures/forms
10. Conduct breach drill for
Data Privacy Compliance Task
List for: Data Privacy Office
1. Develop/roll-out policy to handle Inquiries/Request from Data
Subjects
2. Form Breach Team
3. Develop/roll-out policy on Breach/Incident Management
4. Conduct Breach Management Workshop for Breach Team
5. Coordinate with Process Owners on schedule of breach drills
6. Link complaints system with breach monitoring process
7. Monitor compliance progress of various Departments
8. Ensure a privacy-by-design approach for new systems/services
9. Ensure NPC registration is up-to-date
10. Coordinate with Internal Audit on privacy and compliance audits
Recommended members of
the Breach Team

DPO HRD Manager

Sales and Marketing Network

Supervisor Administrator

Accounting Head
List of PIA Candidates

 1. Recruitment Process
 2. Employees 201 File
 3. Pre-employment and Annual Physical Examination
 4. Random Drug test for employees
 5. Payroll Processing
 6. Mandatory Benefits Filing
 7. Customer Master File
 8. Contract Grower Master File
 9. Supplier Master File
 10. Service Provider Master File
Business Benefits of doing a
PIA
Involvement of the stakeholders in the process

Determine the risk of the process or a project using the risk

map

Prioritize the risk that needs additional controls

Identification of controls that will be used to control the risk

Deciding factor whether to drop or pursue a project

Continuous assessment will help build the privacy measures into

the design of the system
 List of Data Subjects

Employees Customers Suppliers

Service Job
Partners
Providers Applicants
 Privacy • Employees
Notices • Customers
and • Suppliers
Policies • Partners
for our • Service
Providers
data • Applicants
subjects
List of PIPs and Third Parties

PIPS
• Service Providers
• Medical Clinics

Third Parties
• Government Agencies (SSS,
PHILHEALTH, PAG-IBIG Fund, BIR)
• Sister Company
List of data sharing agreements and
service provider contracts that need to
be reviewed

PIPS
• Service Providers
• Medical Clinics

Third Parties
• Sister Company
 Rightto be Right to Right to Right to data
informed object access portability

Right to Right to Right to file a Right to be

correct block/remove complaint indemnified

“Our rights as data subjects…”

• Section 16, “Rights of the Data Subject”
• Section 17, “Transmissibility of the Rights of the Data Subject”
• Section 18, “Right to Data Portability”
• Section 19, “Non-Applicability”
“What personal data was
processed?”

 Section 3.c: “Personal information” (PI) refers to any information whether

recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and
certainly identify an individual.
 Section 3.l: “Sensitive personal information” (SPI) refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or current health records, licenses or its denials, suspension
or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
 IRR Section 3.j: “Personal data” refers to all types of personal information.
What is the basis for “authorized processing”?
Basis
1 Consent of the data subject
2 Contractual agreement
3 Legal obligation
4 To protect vital interests
5 For medical treatment
6 Lawful and noncommercial
objectives
7 Public order and safety
8 Legitimate interests of the
PIC
9 Public authority
Non-applicability of rights
(Sec. 19 DPA, Sec. 37 IRR)
For PI (from Sec. 12 of DPA, Sec. 21 of IRR)
Given prior to the collection, or as soon as practicable and
reasonable
To fulfill obligations under the contract, or to take steps at
the request of the data subject prior to entering the contract
For compliance with a legal obligation to which the PIC is
subject
To protect vitally important interests of the data subject,
including his/her life and health
To respond to national emergency or to comply with the
requirements of public order and safety, as prescribed by law
To pursue the legitimate interests of the PIC or PIP, except
where such interests are overridden by fundamental rights and
freedoms
Sections on the rights of the data subject are not applicable to
criminal, administrative or tax liabilities – to the minimum
For SPI (from Sec. 13 of DPA, Sec. 22 of IRR)
Given prior to the processing, which shall be undertaken pursuant
to a declared, specified, and legitimate purpose
As provided for by existing laws and regulations that do not
require consent and that guarantee the protection of personal
data
To protect the life and health of the data subject or another
person, and the data subject is not able to express consent
Processing is necessary for medical treatment; provided that
processing is carried out by a medical practitioner or institution,
and an adequate level of protection of personal data is ensured
For as long as processing is confined to the members of the public
organization or association, and the data is not transferred to
third parties, and consent was obtained prior to processing
For the protection of lawful rights and interests of persons in
court proceedings or legal claims, or when provided to public
authority pursuant to a constitutional or statutory mandate
processing for the purpose of investigations in relation to any
extent necessary to achieve the purposes of said investigation.
Sec. Punishable Act Jail Term Fine (Pesos)

25 Unauthorized processing 1y to 3y ꟷ 3y to 6y 500k to 4m

26 Access due to negligence 1y to 3y ꟷ 3y to 6y 500k to 4m

27 Improper disposal 6m to 2y ꟷ 3y to 6y 100k to 1m

28 Unauthorized purposes 18m to 5y ꟷ 2y to 7y 500k to 2m

29 Intentional breach 1y to 3y 500k to 2m

30 Concealment of breach 18m to 5y 500k to 1m

31 Malicious disclosure 18m to 5y 500k to 1m

32 Unauthorized disclosure 1y to 3y ꟷ 3y to 5y 500k to 2m

33 Combination of acts 3y to 6y 1m to 5m
 Laws and Regulations,
Court Orders, Mission
Other Third Parties Orders, Vital Interest,
(Government Agencies, SPA, Proof of Entitlement,
LGUs, LEOs, Rep or Heirs etc.
of Data Subject, etc.)

Data Sharing Agreement

Consent Form or (DSA) or
Privacy Notice Joint Controller
Agreement
PIC or Joint
Data Subject PIC (Original entity
Controller
(whose personal who decides on the
(External entity
data is being collection and
who will use the
collected and processing of
data for a different
processed) personal data)
purpose)
Outsourcing
Agreement or
Data Processing
Agreement (DPA)
PIP (An external
entity to whom the
processing of
personal data has
been outsourced)
Presentation Tips
(Samples)
Can you explain the need for data privacy
compliance in an “elevator pitch”?

 Compelling, exciting and straightforward

 Paints the “big picture” in a sound bite
 Short (like a tweet) so it’s easy to memorize and gets everyone on the same page
 Focus on the one thing you want your audience to remember (and repeat to others)
 iPod: allows you to carry 1,000 songs in your pocket
 Google: organizes the world’s information
 For example, the elevator pitch for making the movie “Jaws”
 It’s a movie about a police chief with a phobia for open water, who battles a gigantic
shark with an appetite for swimmers and boat captains, while going against a greedy town
council who wants to keep the beaches open to the public.
 Elements: the hero, the conflict, the challenges to overcome
 What’s your pitch?

 Elements: the hero, the conflict, the challenges to overcome

 Elements: the data subject, the worst breach, the challenges to overcome

Our {employee / patient / customer / voter, …} data is so valuable

that we would lose {revenue / reputation / customers / trust / …} if something
like {DFA / Jollibee / SingHealth / Cathay / Marriott / …} were to happen to us
and the way to avoid that is to get our {PIAs / privacy notices / privacy policies /
data sharing agreements / employee training / …} completed before the end of
the {month / quarter / semester / year / …}
Factors to consider

Legal and
Contractual
Regulatory
Factors
Factors

Company
Objectives,
Business
Goals,
Factors
Strategies,
Measures

Company Privacy
Vision/Mission Vision/Mission Other Factors
Statement Statement