Data Privacy Act: Requirements for Compliance


img src:

The deadline for compliance of the Data Privacy Act has passed. September 9, 2017 has come and gone and if your establishment has yet to implement the changes necessary to comply with the law, your business may be facing sanctions from being ordered by the National Privacy Commission to cease processing data to penalizing key officers of your business with imprisonment of up to six (6) years and a fine of not less than Php500,000.00 but not more than Php5,000,000.00. This article will give you the very basic things you need to know about the requirements for complying with the law.

  1. Consent Form – time-bound, specified and legitimate purpose, extent of processing of personal data, only necessary personal data
  • EMPLOYMENT APPLICATION FORM should incorporate a consent form
  1. Organizational Security Measures
  • Appoint compliance or data protection officer
  • Data Protection Policies that provide for organizational, physical and technical security measures
  • Records of Processing Activities – describing the data processing system and duties and responsibilities of personnel with access to personal data
  • Management of Human Resources – personnel with access to personal data must execute Strict Confidentiality Covenant; capacity building, orientation or training programs regarding security or privacy policies
  • Procedure for Processing of Personal Data, including policies for access management, system monitoring and protocols to follow during security incidents or technical problems; policies and procedures for data subjects to exercise their rights under the act; data retention schedule, including timeline or conditions for erasure or disposal of records
  1. Physical Security Measures
  • Policies and procedures to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media
  • Design of office space and work stations to provide privacy to personnel processing personal data
  • Duties, responsibilities and schedule of individuals involved in the processing of personal data
  • Policies and procedures regarding the transfer, removal, disposal and reuse of electronic media
  • Policies and procedures that prevent the mechanical destruction of files and equipment – the room and workstation used in the processing of personal data shall be secured against natural disasters, power disturbances, external access and other similar threats
  1. Technical Security Measures
  • Security Policy
  • Safeguards to protect computer network
  • Ability to ensure and maintain confidentiality, integrity, availability and resilience of their processing systems and services
  • Regular monitoring for security breaches and a process both for identifying and accessing reasonably foreseeable vulnerabilities in computer networks and for taking preventive, corrective and mitigating action
  • Ability to restore the availability and access to personal data in a timely manner
  • Process for regularly testing, assessing and evaluating the effectiveness of security measures
  • Encryption of personal data during storage and while in transit, authentication process and other technical security measures that control and limit access
  1. Registration of personal data processing systems – if the establishment employs at least 250 persons or if it processes personal information of at least 1,000 individuals
  2. Annual report of the summary of documented security incidents and personal data breaches
  3. Notification of automated processing operations

For more info:

R.A. 10173 (Full Text)

Implementing Rules and Regulations (IRR)

Data Privacy Act Primer

Leave a Comment

Your email address will not be published. Required fields are marked *