Professional Documents
Culture Documents
Brief Guide To Data Privacy Compliance - BCMAP 13 Sep 2017 PDF
Brief Guide To Data Privacy Compliance - BCMAP 13 Sep 2017 PDF
01 02 03 04
LEGAL ETHICAL SAFETY PRACTICAL
01 Legal
02 Ethical
01 02 03 04
Complaint Report from Own Initative Random
from a data a whistle audit
subject blower
Compliance Ban on
Damages Publication Prosecution
Order Processing
Who is liable?
Sec.22. The head of each government agency or
instrumentality shall be responsible for complying with
the security requirements mentioned herein…
ꟷ
Ok…I’m convinced.
So how do we comply?
Section 21.b
“The personal information controller shall designate
an individual or individuals who are accountable for
the organization’s compliance with this Act.”
From https://privacy.gov.ph/advisories/
Section 20.f
“The PIC shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud
are reasonably believed to have been acquired by an unauthorized
person, and the PIC or the Commission believes that that such
unauthorized acquisition is likely to give rise to a real risk of serious
harm to any affected data subject.”
From https://privacy.gov.ph/memorandum-circulars/
The Role of BCMAP Members
SEC. 20. Security of Personal Information. – (a) The personal information controller must
implement reasonable and appropriate organizational, physical and technical measures
intended for the protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate
measures to protect personal information against natural dangers such as accidental loss
or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take
into account the nature of the personal information to be protected, the risks represented
by the processing, the size of the organization and complexity of its operations, current
data privacy best practices and the cost of security implementation. Subject to guidelines
as the Commission may issue from time to time, the measures implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or
unauthorized usage or interference with or hindering of their functioning or
availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach
NPC’s Five Pillars of Compliance
NPC’s Data Privacy Accountability
and Compliance Framework
I. GOVERNANCE II. RISK ASSESSMENT III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY
VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM
Summary:
NPC
What “legal” registration:
Governance:
appointing a
keep it up-to-
compliance date
DPO
looks like
Breach: always PIA:
be prepared understanding
privacy risks
Golden rule:
CIA: protect
uphold the
what you
rights of data
collect
subjects
TLP: process
according to
privacy
principles
“Evidences” of Compliance
Top Management
Certificate of Control Frameworks
Support Privacy Impact
Registration (and field test
(in memos, meeting Assessments
(issued by the NPC) results)
minutes, etc.)
Data privacy
Complaints handling
governance
process (and
(structure, SOPs and
tracking stats)
cadence)
That’s a lot to do!
Where to start?
A Phased Approach
Phase 3:
Certify Independent, Third-party Assessment
Compliance
WHY The Case for
Compliance
The Cost of
Non-Compliance
WHAT Legal
Compliance
Operational
Compliance
Phased Deep Dive
HOW Approach PIA
WHEN Proper
Timing
▪ See NPC Circular 17-01 (Registration of Data Processing Systems) to see if you are required
to register, and what data you need to provide. If any registration data has changed, you
must inform the NPC within two months of the change.
▪ See Implementing Rules and Regulations of the Data Privacy Act, Sec. 41.b
▪ Privacy Awareness Week, to commemorate the signing of the Data Privacy Act on Aug.15.
This provides an opportunity to schedule company-wide events.
As Needed
Compliance
Capacity to Comply
Commitment to Comply
Thank You!
Dondi Mapa
dmapa@outlook.com