Philippine companies have until September 9, 2017 to fully comply with the Implementing Rules and Regulations of the Data Privacy Act or Republic Act No. 10173 or face sanctions and penalties which range from one to six years imprisonment, and a fine of not less than Php500,000 and not more than Php5 million, depending on the violation.
According to the National Privacy Commission, an independent body mandated to administer and implement the Data Privacy Act of 2012, and to monitor and ensure compliance of the country with international standards set for data protection, privacy is a basic human right, and in the digital age and continued socio-economic development of Filipino citizens, privacy has an ever increasing value and educating one’s self about privacy is important.
The DPA provides Philippine residents with control over their personal data through a set of “data subject rights.” This includes the right to:
- Right to be informed
- Right to object
- Right to access
- Right to correct
- Right to rectification, erasure or blocking
Noncompliance of businesses to the Data Privacy Act can lead to the following consequences:
- Being issued an order to stop processing
- Being ordered to pay damages to data subjects whose rights were violated
- Jail time for accountable officers
The NPC recommends businesses to begin their journey to compliance with the DPA by focusing on five key steps:
- Appoint a Data Protection Officer (DPO). To be appointed by a personal information controller, DPOs will be accountable for ensuring compliance with applicable laws and regulations relating to data protection and privacy.
- Conduct a Privacy Impact Assessment to evaluate and manage the impact of the company’s program, process, and/ore measure on data privacy.
- Create your Privacy Management Program to align everyone in the organization in the same direction, to facilitate compliance with the Data Privacy Act and issuances of the NPC, and to help your organization in mitigating the impact of a breach.
- Implement your Privacy and Data Protection measures which must continuously be assessed, reviewed, and revised as necessary, while training must be regularly conducted.
- Regularly exercise your Breach Reporting Procedures. The NPC and affected data subjects shall be notified by the personal information controller within 72 hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. The personal information controller shall notify the NPC by submitting a report, whether written or electronic, containing the required contents of notification. The report shall also include the name of a designated representative of the personal information controller, and his or her contact details.
Supporting journey to compliance
At a recent tech workshop for the media, Microsoft officials said that the company’s long-standing commitment to security, privacy, and transparency are consistent with the goals of the Data Privacy Act. To support this government drive, Microsoft has been working on helping businesses in their journey to comply with this important legislation.
To help companies start their DPA compliance initiatives, the company has made available online tools and resources through a dedicated Microsoft Trust Center website focused on information on the Data Privacy Act. Through this site, businesses may also take a free risk assessment by the National Privacy Commission to assess their privacy risk level under the DPA regulation.
Microsoft’s Comprehensive Solutions that helps businesses comply
As this policy seeks to help Filipino citizens in their right to privacy and businesses need to be both responsible and accountable for their customers’ data, businesses are not alone in this journey.
Microsoft say its products and services are available today to help businesses meet the Data Privacy Act requirements, and is investing in additional features and functionality. Through cloud services and on-premises solutions, Microsoft will help locate and catalog personal data in the business’s systems, build a more secure environment, simplify management and monitoring of personal data, and give the tools and resources needed to meet the Data Privacy Act reporting and assessment requirements.
With Microsoft Azure, an organization can receive a level of data protection and physical security that far exceeds typical on-premises firewall protection. Azure offers businesses peace of mind knowing that their apps and data are getting the same level of protection chosen by Microsoft’s enterprise customers, including many of the world’s largest financial institutions.
Microsoft Enterprise Mobility + Security (EMS) helps give users a more secure and integrated productivity experience with Microsoft’s enterprise mobility solutions. Securing identities like multi-factor-authentication, device health/data protection with remote wipe and disconnection capabilities, information protection at rest and in-transit, and advanced detection capabilities against security breaches are among the key prescriptions in the DPA. EMS’ layered security across Identity, Devices, Apps, and Data helps with the ongoing compliance.
If the business involves processing important information, then Office 365 is the application suite needed to get the power of Office anywhere and on any device! Plus, regular updates ensure information is secure and protected.
Windows 10 provides identity protection and safeguards from pass the hash attacks. It also provides data encryption at the device and on file level. This ensures corporate data isn’t accidentally or intentionally leaked to unauthorized users or locations.
On top of that, Windows 10 also offers threat resistance with enterprise grade anti-virus protection that completely locks down your device, so you can run only trusted applications. It can also provide additional device security through UEFI Secure Boot and Virtualization-based security. It ensures that a genuine version of Windows starts first on your device, and moves some of the most sensitive Windows processes into a secure execution environment to help prevent tampering and prevent attackers from evading detection.
According to Microsoft, meeting compliance with the DPA will cost time and money for most organizations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
