In the face of rapid developments in the digital economy, the Philippines is now keeping up with the rest of the global online community by strengthening its data privacy and security protections through the Data Privacy Law.
Given its extensive coverage and its impact on digital marketing campaigns, here are common questions asked regarding the DPA:
What is the Data Privacy Law in the Philippines?
The Data Privacy Act (DPA) of 2012, also known as RA 10173, is a comprehensive and strict legislation used to protect people’s privacy while at the same time, ensuring the free flow of information to promote innovation and growth. The main goal of the DPA is to protect people from unauthorized use of their personal information.
A user’s right to be informed regarding the use of their personal data (i.e. address, contact details, occupation, name of parents, and other information that would make them identifiable) and their consent in giving their information is fundamental in the DPA.
Acting as overseer and enforcer of the DPA is the National Privacy Commission (NPC). The NPC can punish those who violate the DPA with fines ranging from PHP 100,000 to PHP 5 million and imprisonment for six months to seven years, depending on the severity of the breach.
Who will be affected by the Data Privacy Law?
The DPA applies to individuals and organizations that process the personal information of its users. The said personal information covered by the DPA has been recorded either online or offline. If an organization has at least 250 employees or has access to the personal information of at least 1,000 people, they are required to register with the NPC and comply with the DPA.
This act does not apply to processing personal information in the Philippines of data that was legally collected from those living outside the country, whether Filipino or a foreigner.
How does one comply with the Data Privacy Act of 2012?
For compliance with the DPA, organizations must follow these six steps:
1. Appoint a Data Protection Officer (DPO)
Organizations that process information must have a designated DPO or compliance officer. The DPO will be responsible for ensuring that the organization complies with laws and regulations regarding data protection and privacy.
2. Conduct a Privacy Impact Assessment (PIA)
A PIA should include a description of the data management and protection program used by the organization. It should also show how the program will process or measure information. That way, a thorough evaluation of the process can be done to check if there is a need to make improvements or updates.
3. Create a Privacy Management Framework
A Privacy Management Framework (PMF) is a holistic approach used to contain any data breaches and helps members of the organization comply with the DPA and other issuances of the NPC. The PMF ensures that every member of the organization understands their responsibility in relation to protecting data privacy and eases their compliance with the DPA.
4. Implement Privacy and Data Protection Measures
Organizations must follow through on their responsibility of protecting their users’ data. They are required to assess, review, and revise their protection measures when necessary.
5. Exercise Breach Reporting Procedures
When there is a personal data breach or suspicion of a personal data breach, organizations are required to notify the users affected and the NPC. They must also conduct an assessment of the breach to lessen its impact.
6. Register your company with the NPC
Organizations should register with the NPC and make sure they have all necessary documentation. They must include all automated processing operations that have a legal effect on their users as well as annual reports involving security incidents.
How does this affect your marketing campaigns?
If your marketing campaign does not involve collection of any personal data, you don’t have to worry about the DPA. However, if your campaign requires people to provide personal information, then you must comply with two basic rules:
Before asking for or using any personal data of anyone, your organization must notify them of the following:
The key rule here is for organizations to always ask for consent from users who will be sharing with them their personal information. Moreover, an organization cannot gather information regarding an individual or their family members without their consent.
Non-adherence to the appropriate data privacy and protection procedures could lead to the compromise of your clients’ personal information. This may adversely affect your company’s trustworthiness and credibility in the marketing sphere and negatively impact your campaigns. All these, on top of the sky-high fines and severe penalties for any mismanagement of client information that could most likely occur without the proper data security measures.
How does compliance benefit your campaign and overall business?
Apart from avoiding the stiff penalties for non-compliance, complying with the DPA while executing your marketing campaign can prove beneficial for your organization’s bottom line.
Compliance ensures your organization’s longevity and competitiveness in an international setting where data privacy frameworks like the European General Data Protection Regulation and the Asia-Pacific Cooperation Privacy Framework have been set up