ISO standards may be prerequisite for PPM certification

The National Privacy Commission (NPC) of the Philippines conducted its second virtual public consultation on 22 March 2023 on a draft circular on the prerequisites for the Philippine Privacy Mark (PPM) Certification Program.

The draft circular sets out specifically the prerequisites for the certification of personal information controllers (PICs) and personal information processors (PIPs), and would also apply to all certification bodies (CBs) that would seek accreditation under the PPM.

Based on the draft, the circular once issued would require PICs or PIPs to be certified with the ISO/IEC 27001 - information security management system (ISMS) and ISO/IEC 27701 - privacy information management system (PIMS) before applying for PPM certification.

The same requirement would apply to CBs prior to applying for accreditation under the PPM.

Get our free Data Protection Impact Assessment (DPIA) Cheat Sheet. Log in as a DPEX Network member (sign-up is free) to download.

Watch the video on how ISO certifications differ from other certifications here.

Increase trust and confidence

Originally launched in November 2021 as the Philippine Privacy Trust Mark or PPTM, the certification aims to increase trust and confidence in businesses and public offices by offering the highest level of assurance on data privacy compliance and secure cross-border data transfers.

It is a voluntary program and is only applicable to organisations’ management systems.

Former NPC commissioner Raymund Liboro said the certification was opportune as the Philippines would “fully embrace digitalisation for our economic recovery” after the Covid-19 pandemic, and that it would “strengthen the foundation of trust” for online activities.

For consumers, he said that the certification would enable them to make informed choices and have greater control over the personal data collected from them, and help them identify [certified] organisations that they can trust with their personal information.

PPM-certified PICs and PIPs are required to establish, implement and continually improve their management systems, and demonstrate operational compliance with the Data Privacy Act of the Philippines.

The NPC will be releasing additional guidelines in the near future pertaining to the certification scheme for PICs, PIPs and CBs.

To find out how to meet the ISO prerequisites of the Philippine Privacy Mark (PPM) in the Philippines, please schedule a 20-minute strategy call or contact sales@straitsinteractive.com to get your queries answered.

View our Philippines DPA infographic here.

Achieving ISO 27001 and 27701 certification

When it comes to ISO, an organisation should be able to demonstrate the mandatory documents and records required by the ISO 27001/27701 standard.

“Usually, auditing and certifying bodies will require you to show these mandatory documents and records over several cycles, to prove that you are aligned with the ISO standard,” Edwin Concepcion, ISO 27001 and 27701 Certified Lead Implementer, explained.

This means that for organisations that want to apply for ISO certification, they should establish several months’ worth of records before they can apply for an audit.

Another key point in ISO certification is contextualisation and scoping. This means that the controls and best practices are dependent on factors such as your industry, scale, and size.

“When we think of ISO, it is easy to feel overwhelmed. However, if you are able to clearly establish your scope, based on the context of your organisation and your most urgent risks, achieving ISO is possible even for smaller organisations,” said Concepcion, the country manager for Straits Interactive in the Philippines.

He added that working with the right data privacy consultant, such as Straits Interactive, can provide the greatest value for money, in terms of being ably supported in developing and maintaining sufficient records to be ready for audit.

“We can also help you scope [the project] according to your organisation’s objectives – so that you can make the most efficient use of your resources.”

Visit dpexnetwork.org to learn more about ISO certification courses and data protection competency roadmaps. You can also start your career in data protection by taking our Data Protection Officer Program (DPO ACE, Philippines).

Cross-border assurance

The PPM guidelines also provide adequate support for cross-border data transfers, and help align the NPC’s compliance mechanisms with global practices and standards.

“Certified PICs and PIPs can more easily integrate themselves in global value chains as they gain more clients, customers and business partners with their branding of secure privacy systems,” Liboro said.

ISO standards are increasingly important to protect management systems and organisations in the Philippines, and to engender greater assurance and public trust.

In March 2022, the Congress of the Philippines passed amendments to the Public Service Act to enable potential full ownership of telecommunications and railway services.

As part of these amendments, compliance with international standards, specifically ISO standards, are required in certain public-service industries.

For access to news updates, blog articles, videos, events and free resources, please register for a complimentary DPEX Network community membership, and log in at dpexnetwork.org.