Stop (fire) horsing around with data privacy compliance!

It’s the Year of the Fire Horse, and Chinese astrologers predict it will challenge the resilience and stability of businesses.

In the same way lifestyle articles had advised us to clean our doors and hallways to give the Fire Horse a clear path, the Lunar New Year’s start is as good a time as any for businesses to also “clean house” by checking on compliance — from ensuring timely submission of your 2025 general information sheet to renewing various LGU permits.

A somewhat overlooked area of compliance is data privacy, something people knew little about when the Data Privacy Act (DPA) was passed in 2012. There’s a lot more awareness now, thanks to the efforts of the National Privacy Commission (NPC), although one problem seems to persist — people aren’t quite clear about what this law really covers.

I don’t know how many times I’ve heard people talk about data privacy as something you can threaten your maritess neighbors/officemates with. Yes, that kind of sharing can involve the right to privacy but you generally need to look to the Constitution, the Civil Code, or the Revised Penal Code, not the DPA, for relief.

The DPA is meant to regulate persons who collect and process personal data in the course of government and private transactions, employment, and the pursuit of business or enterprise. The statute is looking at a world where data subjects — us, individuals — give or have to give their personal information to another person so the latter can provide some service or perform an obligation. The law seeks to balance the interests of the data subject (grounded in the right to privacy) and the interests of the party that is legitimately collecting and using the data.

Taking off from the NPC’s Five Pillars of Compliance, here are some practical Lunar New Year “resolutions”:

1. Data protection officer – your DPO (you have one, right?) should keep abreast of NPC issuances and advisories, posted on the NPC website.

2. Privacy impact assessment (PIA) – your DPO’s files should have a PIA report by now. PIA is a risk assessment exercise, generally covering any type of personal data processing your business undertakes. Processing is pretty much anything, from your receptionist signing in visitors, to you storing the resumés of rejected job applicants. The key is to identify personal data flows — from intake to every transfer to retention. Then, determine risks and mitigants, implement, assess. All of that goes into an internal report.

3. Privacy management program – this is your set of internal protocols, like a manual or privacy policy, guiding your organization on when and how to handle personal data.

4. Data protection measures – the DPA requires installing adequate physical, technical and organizational security measures, but except for certain organizational measures such as the appointment of a DPO, the DPA doesn’t specify what these measures should be. It will depend on the processing undertaken and related risks, among others. Conducting the PIA helps determine and justify security measures.

5. Breach reporting – what’s needed: a data security breach management policy (what to do in case of a breach) and a response team that must include the DPO. A DPO should know what triggers the mandatory 72-hour notice to the NPC and data subjects, and the requirement to file the annual security incident report (ASIR) with the NPC. An ASIR is meant to cover incidents that, if not for the security measures installed by a controller, would have been data security breaches. (ASIRs are due March 31^st of every year.)

The pillars don’t mention NPC registration but a business definitely should check whether or not it should accomplish it. The triggers:

1. Employment of 250+ people;

2. Processing of sensitive information (e.g., age, government IDs) of 1,000+ individuals;

3. Using automated processing; and

4. A general category referring to processing of personal data that poses risks to the rights and freedoms of individuals.

There’s much more to unpack in respect of privacy compliance. Before policymakers add more compliance requirements (keep an eye on cybersecurity), it’s best to make sure this horse has been reined in and saddled. Happy Lunar New Year!

The views expressed herein are the author’s own and do not necessarily reflect the opinion of her office as well as FINEX.

Rose Marie M. King-Dominguez is a senior partner of SyCip Salazar Hernandez & Gatmaitan and the head of the firm’s Special Projects Department. She is a FINEX member.