Академический Документы
Профессиональный Документы
Культура Документы
Current situation
Number of data subjects:
Number of service providers and 3rd parties:
Possible consequences of breach:
Current compliance level
(baseline score based on NPC “rating tool”)
Why we should be worried
about data breaches
Personal data can be stolen and used in identity theft
Loss of reputation resulting in loss of share value
Loss of competitiveness resulting in lost revenue
Litigation
Loss of license / authority to operate
Shutdown of operations
Loss of jobs
Jail and fines
Privacy objectives/goals/tactics/measures:
How we get there:
Our compliance roadmap
Establish the Breach Management
Respond to Breaches (as needed)
policy, team and procedures
Respond to
data subject
complaints/
Create PDIs and Conduct PIAs Deploy controls identified in PIA requests
Buy-in of Top
Management
Top • Budget support for tools and technology for information and training activities
• Incorporating compliance into the performance parameters of those handling
Management
personal data
• Drive the message throughout the organization
Owners
by design”)
• Conduct breach drills on their respective processes
HR Team • Issue security clearances to staff processing personal data. Access to all security
clearances issued
• Implement the recommended organizational controls
Accounting Head
List of PIA Candidates
1. Recruitment Process
2. Employees 201 File
3. Pre-employment and Annual Physical Examination
4. Random Drug test for employees
5. Payroll Processing
6. Mandatory Benefits Filing
7. Customer Master File
8. Contract Grower Master File
9. Supplier Master File
10. Service Provider Master File
Business Benefits of doing a
PIA
Involvement of the stakeholders in the process
Service Job
Partners
Providers Applicants
Privacy • Employees
Notices • Customers
and • Suppliers
Policies • Partners
for our • Service
Providers
data • Applicants
subjects
List of PIPs and Third Parties
PIPS
• Service Providers
• Medical Clinics
Third Parties
• Government Agencies (SSS,
PHILHEALTH, PAG-IBIG Fund, BIR)
• Sister Company
List of data sharing agreements and
service provider contracts that need to
be reviewed
PIPS
• Service Providers
• Medical Clinics
Third Parties
• Sister Company
Rightto be Right to Right to Right to data
informed object access portability
3 Legal obligation For compliance with a legal obligation to which the PIC is As provided for by existing laws and regulations that do not
subject require consent and that guarantee the protection of personal
data
4 To protect vital interests To protect vitally important interests of the data subject, To protect the life and health of the data subject or another
including his/her life and health person, and the data subject is not able to express consent
5 For medical treatment Processing is necessary for medical treatment; provided that
processing is carried out by a medical practitioner or institution,
and an adequate level of protection of personal data is ensured
6 Lawful and noncommercial For as long as processing is confined to the members of the public
objectives organization or association, and the data is not transferred to
third parties, and consent was obtained prior to processing
7 Public order and safety To respond to national emergency or to comply with the
requirements of public order and safety, as prescribed by law
8 Legitimate interests of the To pursue the legitimate interests of the PIC or PIP, except
PIC where such interests are overridden by fundamental rights and
freedoms
9 Public authority For the protection of lawful rights and interests of persons in
court proceedings or legal claims, or when provided to public
authority pursuant to a constitutional or statutory mandate
Non-applicability of rights Sections on the rights of the data subject are not applicable to processing for the purpose of investigations in relation to any
(Sec. 19 DPA, Sec. 37 IRR) criminal, administrative or tax liabilities – to the minimum extent necessary to achieve the purposes of said investigation.
Sec. Punishable Act Jail Term Fine (Pesos)
33 Combination of acts 3y to 6y 1m to 5m
Laws and Regulations,
Court Orders, Mission
Other Third Parties Orders, Vital Interest,
(Government Agencies, SPA, Proof of Entitlement,
LGUs, LEOs, Rep or Heirs etc.
of Data Subject, etc.)
Legal and
Contractual
Regulatory
Factors
Factors
Company
Objectives,
Business
Goals,
Factors
Strategies,
Measures
Company Privacy
Vision/Mission Vision/Mission Other Factors
Statement Statement