A Management Approach to

Data Privacy Compliance

Dondi Mapa (dmapa@outlook.com)
Former Commissioner, Commission on Information & Communications Technology
Former Deputy Privacy Commissioner, National Privacy Commission
Republic of the Philippines
Why comply?

01 02 03 04
LEGAL ETHICAL SAFETY PRACTICAL
01 Legal
02 Ethical

Right to be Right to Right to Right to data

informed object access portability

Right to Right to Right to file a Right to be

correct block/remove complaint indemnified
03 Safety

“ The Data Privacy Act is the safety belt

for organizations that are moving into
the world of digital transformation
and data monetization.
- Dondi Mapa
”
Loss of Market
Job Loss Fines Bankruptcy Jail
Value
04 Practical
 So… you didn’t comply.

What’s the worst that could happen?

Section 7.b
The National Privacy Commission has the power to…
• receive complaints,
• institute investigations,
• facilitate or enable settlement of complaints through the
use of alternative dispute resolution processes,
• adjudicate,
• award indemnity on matters affecting any personal
information,
• prepare reports on disposition of complaints and resolution
of any investigation it initiates, and,
• in cases it deems appropriate, publicize any such report.
Events that may trigger
a data privacy investigation by the NPC

01 02 03 04
Complaint Report from Own Initative Random
from a data a whistle audit
subject blower

The rules for

complaints handling
are contained in NPC NPC does not reward May be based on a
Sectoral
Circular 16-04, whistle blowers. news article
“Rules of Procedure
of the NPC”.
Nature Of
Complaints
received by
NPC as of
30 June 2017
Complaints & Investigation Process

1. Data Subject submits written

complaint to your organization.

4. After conducting its

investigation, the NPC may:
- Dismiss the case
- Send it to arbitration
- Find for complainant

Note: Findings are subject to

appeal, which must be filed
within 15 days.
If the complaint is upheld
The National Privacy Commission may…
• Issue cease and desist orders, impose a temporary or permanent
ban on the processing of personal information, upon finding that
the processing will be detrimental to national security and public
interest (Sec. 7.c)
• Compel or petition any entity, government agency or
instrumentality to abide by its orders or take action on a matter
affecting data privacy (Sec. 7.d)
• Recommend to the Department of Justice the prosecution and
imposition of penalties specified in this Act (Sec. 7.i)

Compliance Ban on
Damages Publication Prosecution
Order Processing
Who is liable?
 Sec.22. The head of each government agency or
instrumentality shall be responsible for complying with
the security requirements mentioned herein…

 Sec.34. Extent of Liability. If the offender is a

corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as
the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime.
ꟷ

ꟷ
 Ok…I’m convinced.

So how do we comply?
Section 21.b
“The personal information controller shall designate
an individual or individuals who are accountable for
the organization’s compliance with this Act.”

From https://privacy.gov.ph/advisories/
Section 20.f
“The PIC shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud
are reasonably believed to have been acquired by an unauthorized
person, and the PIC or the Commission believes that that such
unauthorized acquisition is likely to give rise to a real risk of serious
harm to any affected data subject.”

From https://privacy.gov.ph/memorandum-circulars/
The Role of BCMAP Members
SEC. 20. Security of Personal Information. – (a) The personal information controller must
implement reasonable and appropriate organizational, physical and technical measures
intended for the protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate
measures to protect personal information against natural dangers such as accidental loss
or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take
into account the nature of the personal information to be protected, the risks represented
by the processing, the size of the organization and complexity of its operations, current
data privacy best practices and the cost of security implementation. Subject to guidelines
as the Commission may issue from time to time, the measures implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or
unauthorized usage or interference with or hindering of their functioning or
availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach
NPC’s Five Pillars of Compliance
 NPC’s Data Privacy Accountability
and Compliance Framework

I. GOVERNANCE II. RISK ASSESSMENT III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY

VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM
Summary:
NPC
What “legal” registration:
Governance:
appointing a
keep it up-to-
compliance date
DPO

looks like
Breach: always PIA:
be prepared understanding
privacy risks

Golden rule:
CIA: protect
uphold the
what you
rights of data
collect
subjects

TLP: process
according to
privacy
principles
“Evidences” of Compliance
Top Management
Certificate of Control Frameworks
Support Privacy Impact
Registration (and field test
(in memos, meeting Assessments
(issued by the NPC) results)
minutes, etc.)

Respect for rights of

Breach Management Privacy Policies, data subjects
Third-party
Manual Manual (and proof of (consent form,
contracts
(and drill results) inception) access procedures,
etc.)

Data privacy
Complaints handling
governance
process (and
(structure, SOPs and
tracking stats)
cadence)
That’s a lot to do!

Where to start?
A Phased Approach

Phase 1: Gap Benefits: Proper Scope,

Analysis Organizational Alignment

Phase 2: Close Choose the Right Partner

the Gaps for each Gap

Phase 3:
Certify Independent, Third-party Assessment
Compliance
WHY The Case for
Compliance
The Cost of
Non-Compliance

WHAT Legal
Compliance
Operational
Compliance
Phased Deep Dive
HOW Approach PIA

WHEN Proper
Timing

WHO The DPO

The Breach
Team

WHERE With regard to

Location
Dates and Deadlines to Remember
March 8, 2018 and every March 8 thereafter

▪ See NPC Circular 17-01 (Registration of Data Processing Systems) to see if you are required
to register, and what data you need to provide. If any registration data has changed, you
must inform the NPC within two months of the change.

72 hours for breach notification

▪ See NPC Circular 16-03, Personal Data Breach Management

Annual Incident Report

▪ See Implementing Rules and Regulations of the Data Privacy Act, Sec. 41.b

Every August 15th week

▪ Privacy Awareness Week, to commemorate the signing of the Data Privacy Act on Aug.15.
This provides an opportunity to schedule company-wide events.

As Needed

▪ Review if any PIAs need to be updated.

▪ Conduct breach drills, business continuity drills, vulnerability testing.
Compliance is a journey

Compliance

Capacity to Comply

Commitment to Comply
Thank You!

Dondi Mapa
dmapa@outlook.com