NPC: Late Registrants, May Face Privacy Compliance Checks
Public and private companies that failed to beat the September 9 deadline for the registration of their data processing systems starting with the registraton of their Data Protection Officer (DPO) could face compliance checks, the National Privacy Commission (NPC) warned.
Since September 9 fell on a Saturday, a non-working day, the deadline automatically moves to the next working day, on Monday of September 11, 2017.
“Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act.,” said Chairman and Privacy Commissioner Raymund Enriquez Liboro. “For one thing, in case an organization
suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence,” Liboro added.
“We will continue accepting DPO registration papers from controllers and processors even after the Monday deadline but such will be considered “late registrants”, and included in the list of priority organizations for a data privacy compliance check.” Said Commissioner Liboro.
A compliance check by the NPC means an organization will be subjected to a comprehensive compliance validation process based on 10 critical aspects of accountability, which the NPC has termed as the Data Governance Framework. The compliance check involves interviews, operations inspection, documents analysis, and pertinent activities intended to appraise the organization’s culture of privacy.
Several conglomerates have registered their DPOs with the NPC, among them are companies under the Ayala Group, the SM Group of companies as well as the Lucio Tan Group, One of the first companies that was able to comply with the designation and registration of a DPO was Philippine National Bank one of the companies under the Lucio Tan group, they submitted their registration as early as May this year. According to Roland Oscuro, DPO of PNB: “In our industry, the protection of personal data is essential in maintaining the trust of our customers, as well as improving market position. Our long term goal is to develop a culture of privacy within our organization that we hope our employees can take home and share with their family and friends” Mr. Oscuro said.
Unionbank, another banking institution that has complied with the Data Privacy Act is aware of the value of data privacy in the information driven world. According to Henry Aguda, DPO of Unionbank: “Data privacy is the proxy for trust in the information age. Together with the appropriate information security, privacy, as an organizational mindset, paves the way for responsible innovation in both online and onsite banking services. It provides convenience with a foundation for trust. The loss of trust for a bank or any business, for that matter, can be catastrophic."
In case the NPC finds an organization wanting, Liboro said the privacy compliance check could lead to the issuance of a Compliance Order, which enforces specific actions to be performed by the company within a time period. In case the organization did not follow through satisfactorily, it will trigger a formal investigation, that could possibly result in prosecution.
In an effort to give organizations ample time to comply, the commission has earlier divided the registration process into two phases and extended the deadline for the more rigorous second phase to March 8, 2018. The first phase, however, which essentially consists of a DPO registration, is not subject to an extension.
“Much as we may want an extension, we are compelled by law to strictly enforce the September 9 deadline for organizations to register their data processing system, which is exactly one year following the date of effectivity of the IRR (implementing rules and regulations). We understand privacy compliance is something new and we’ve made it easier by dividing it into phases, so that phase one is just all about DPO registration. We cannot, however, be lenient about the deadline itself,” Liboro said.
Section 47 of the IRR of the Data Privacy Act of 2012 requires personal information controller (PIC) or personal information processor (PIP) that employs 250 persons or more to register their information processing system with the NPC. Those that employ fewer than 250 persons are also required to register if their operations involve the processing of personal data that may likely pose a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing includes sensitive personal information of at least one thousand (1,000) individuals.