WITH the rising number of cyberattacks and data breaches, enterprises in the country, regardless of size, must comply with Data Privacy Law to keep their competitive edge.
Lawyer Enrique dela Cruz Jr., senior partner of Divina Law, said in an interview on Tuesday that businesses, academic institutions, healthcare and industries dealing heavily with data must set up a separate department whose sole task is to ensure the organization’s data is protected.
“The company’s asset is data and you have to guard it,” said dela Cruz.
Under the Data Privacy Act’s (Republic Act 10173) implementing rules and regulations, one of the first registration requirements of the National Privacy Commission (NPC) is the designation of the data protection officer who will be responsible for data protection and data privacy of the organization.
They are likewise required to appoint personal information controllers and processors, conduct privacy impact assessments, create their own privacy management program, implement privacy and data protection measures and regularly exercise breach reporting procedures.
NPC is the country’s data privacy and data protection watchdog mandated to uphold the right to data privacy and ensure the free flow of information to promote economic growth and innovation.
According to dela Cruz, most of their clients who cannot afford to set up a new department usually outsource these new functions like creation of manual or program to law firms.
In Cebu, dela Cruz said about 10 to 15 percent of organizations have registered with the NPC. However, 50 percent of them are not fully compliant with the law.
NPC extended its registration deadlines for data processing systems of personal information controllers and processors operating in the country until Mar. 8.
Organizations that employ 250 people or handle more than 1,000 customers in their database should register their compliance with the NPC. A maximum penalty of up to P5 million will be fined to organizations that are not complainant.
While this new law will urge organizations to invest in new functions, dela Cruz said a bigger chunk of the money will be spent on training key people on data privacy and protection.
However, he noted that additional investments will be for the organization’s long-term growth and is incomparable to the potential risks and losses the organization will face should they experience data breaches.
“With the Asean integration, companies in the Philippines need to implement their data protection and data privacy obligations, not only to keep their existing clients, but also to assure future growth,” said Privacy Commissioner Raymund Enriquez Liboro, in a statement.
According to the 2017 Cost of Data Breach Study: Global Overview conducted by IBM Security and Ponemon Institute, the average total cost of data breach for the 419 surveyed companies (with respondents from the Philippines) decreased from $4 million to $3.62 million.
The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 million in 2016 to $141 million in this year’s study. However, despite the decline in the overall cost, companies in this year’s study are having larger breaches.
A study commissioned by the NPC revealed that 94 percent of Filipino adults want to know more about how the personal data they provide during transactions will be used. Eighty-five percent of Filipinos agree that the rights of data subjects are important.