What is the Data Protection landscape like amongst organisations? - A Perspective from the Philippines.
In the last few months, due to the pandemic, awareness on privacy and data protection has gained a lot of traction. This is evident in social media discussions and TV news coverage. Various issues and concerns were raised by citizens about privacy especially of those closely affected by COVID-19. On the other hand, there were calls made by business groups, politicians, government officials and even opinion writers to suspend the Data Privacy Act.
One of the key challenges we observed in a lot of organizations is the top management commitment to abide by privacy and data protection. The pandemic has caused strains in business operations and the organization's immediate survival. Sadly, data protection is put on the back burner due to the many priorities of the company and focus on health and safety.
This does not have to be. Organizations and business leaders need to have some paradigm shift in its business thinking and look at privacy and data protection as a business enabler especially in the turbo accelerated digital transformation induced by the pandemic. Most organizations look at data protection as another compliance activity that does not provide concrete business impact.
The key is understanding the rationale of privacy and data protection. When the data protection principles are clear, companies can work on its purpose and translate the requirements into its data processing information lifecycle. Information lifecycle is the collection, use, disclosure/disposal and storing of personal data. The rules in personal data processing or the information lifecycle can be embedded into practical standard operating procedures that enhance business operation activities efficacy and can provide tangible benefits.
Commissioner Liboro of the National Privacy Commission (NPC) has repeatedly stated in several talks he has given in various forums that in the event of a data breach, NPC will not ask how many millions the company spent on its hardware and IT experts. NPC will ask instead if it has implemented a data protection management program. A data protection management program is as simple as G-A-P-S-R. The company needs to have a governance (G) structure, assess (A) the risks, protect (P) by developing and implementing standard operating procedures (SOPs) to address the identified risks, sustain (S) the data protection efforts, including following the SOPs, and respond (R) to any incidences that may cause harm, to any customer complaints and to any queries raised by the NPC.
What organizations need to do is put in place a data protection management program that is appropriate to their business operations and that identifies and mitigates privacy and data protection risks. Continue the program by adopting a lifecycle management approach. Implementing a data protection management program does not have to be costly. And it can have the added benefit of identifying ways of improving, including streamlining, business processes - resulting in a better customer experience and lower operating costs.
The National Privacy Commission (NPC) has put in great efforts in building awareness and public education on the Data Privacy Act over the last four years. NPC has organized various events and workshops across the country. It has also organized sector-specific forums. The public can visit the NPC website and learn from the advisories and bulletins it issues regularly. As the current pandemic situation persists, we are on an expedited journey into a full appreciation of privacy and data protection.
The Philippines is in a forward position compared to most ASEAN countries. Singapore, which passed their Personal Data Protection Act (PDPA) in 2012, is also experiencing a development period evidenced by new government initiatives providing support for companies to implement data protection management programs and subsidies to individuals to upskill in this new area. A similar law has also been passed in Malaysia in 2010 but has not got the ground running. Indonesia and Thailand are yet to effect their similar regulations.
The exponential transformation to digital of business operations will force companies to adapt to the demands of enhancing and providing utmost convenience to consumers. Executives and organizations must adopt a holistic approach to Governance, Risk Management and Compliance, specifically in the area of privacy and data protection with earnest intent to innovate and grow. Organizations that build a culture of privacy and data protection, including compliance, will be able to create a competitive advantage putting the "health and safety" of its customers in the digital sphere.
Click here for leveraging on an integrated bundle of Data Protection Services that enable your organisation to train your DPO and setup Data Protection Management and Data Breach Management Programmes.
Contributed by Edwin Conception (FIP, CIPM, CIPT, CIPP/E)
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…