What do data privacy laws in the Philippines entail?
The reference document for data privacy in the Philippines is the Data Privacy Act of 2012 (DPA) and applies to all businesses who both process data and maintain an office, branch or agency in the territory – as well as all extraterritorial businesses who process the data of Philippine citizens.
Here are a few ways that data must be collected and protected under the DPA:
- You must have the consent of individuals in order to collect their data.
- You must have a legitimate reason to collect and store data.
- You must not collect more data than the scope of your legitimate reason would allow.
- People whose data has been collected have the right to know what’s being stored, the right to access their stored data, the right to remove or edit the data, and the right to sue for damages in the event that their rights are infringed.
Complying with the DPA
The DPA is enforced by a National Privacy Commission (NPC). This entity monitors compliance, allows or bans organizations from conducting data processing activities, and can refer penalties and prosecution to the Department of Justice. They can also serve as a resource for those who wish to understand more about data privacy laws, and work with outside law enforcement agencies.
It’s important to understand that the DPA is not a static document. The NPC regularly issues circulars which update the law; one of their most recent additions regards the appointment of data protection officers. In this way, the DPA remains current enough to cope with an era of sweeping technological advancement.
Lastly, the DPA specifies that all data breaches affecting Philippine customer data must be reported within 72 hours. This is in fact an internationally-enforceable provision, with an awareness of the European GDPR. If an entity is covered under both the GDPR and the DPA, all data breaches still have the 72-hour limit, even if the only data that’s been breached is EU-related.
These strictures may seem severe, but the good news is that there’s room in the law to be flexible on a company-by-company basis. Section 25, for example, states that data controllers should “implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data.” The key words here are “reasonable” and “appropriate.” In other words, the law understands that some companies have differing budgets and experience. What’s reasonable for you might be beyond the reach of another organization.
Protect yourself under the DPA with Safe-T
No one wants to pay unnecessary fines or serve time in prison! Safe-T can help. We offer a security and data security suite - Software-Defined Access- with policy enforcement on a granular level. Our solution can specify the level of encryption needed for sensitive documents and ensure that they’re protected both while they’re stored and in transit, audit the data entering and leaving your network, and create micro-segmentation for a network that’s more difficult to infiltrate. Safe-T offers turnkey compliance tools that let you be safe no matter where you do business. For more information, contact us today!