Make sure your business complies with all the requirements under the Data Privacy Act for processing the personal data of customers and employees to avoid investigation and penalties.
I. What is the Data Privacy Act of 2012?
Because of how fast technology has evolved, personal data has become valuable to the point that business models are built around how it is being used. To prevent the abuse of personal data, the government enacted Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”). On September 9, 2016, the implementing rules and regulations of the DPA came into force and assures the “free flow of information to promote innovation and growth” while at the same time protecting its user’s fundamental rights to privacy. The DPA has become increasingly important where the world economy is quickly going digital. It is even estimated back in 2014 that 2.5 quintillion bytes of data were created every day, and part and parcel of this is knowledge about real individuals.
II. How does the DPA affect your business?
How does the DPA affect businesses? The DPA protects and maintains the rights of customers to confidentiality by setting a list of rules that businesses should follow to regulate the collection, handling, and disposal of all personal information. Businesses then become legally responsible for keeping the privacy of their customer’s data safe from third parties or any forms of misuse both internally and externally.
The DPA applies to any processing of personal data regardless if the person processing the data belongs in the government or private sectors. The collection of personal data must have legitimate reasons and should be clear to both parties giving and receiving information. This means that the collection must be done with the customer’s proper consent.
III. Complying with the requirements of the DPA
Under the DPA, businesses with at least two-hundred-fifty (250) employees or access to the personal and identifiable information of at least one thousand (1,000) people are required to register with the National Privacy Commission.
What does this mean for business owners? Businesses should ensure that their data collection methods comply with the DPA, and they are transparent about the entire process of data collection with their data subjects. If the handling, processing or disposal of personal information is not compliant with the DPA, one is penalized by imprisonment up to 6 years and a fine of not less than five hundred thousand pesos (Php 500,000.00).
How can a business comply with the DPA? These 5 elements must be present: (a) having a Data Protection Officer; (b) conducting a privacy impact assessment; (c) creating a privacy knowledge management program; (d) implementing a privacy and data protection policy; and (e) exercising a breach reporting procedure.
With respect to employees, the business can process the personal data of its employees by having them execute a Data Privacy Consent Form to signify the employee’s consent to have the company process their personal data. Make sure your business secures the consent of its employees to process their personal data by using our Employee Data Privacy Consent Form.