The GDPR is short for the General Data Protection Regulation. Created by the European Union (EU), its goal is to protect the personal data of EU citizens collected by any organizations or businesses from unauthorized access or use. It essentially gives EU citizens more control over their personal data.
The GDRP was made to simplify how regulation works for organizations in order for EU citizens and businesses to take full advantage of the digital economy.
Conditions under the GDPR require organizations to ensure that personal data is gathered legally and under strict conditions. Those who collect and manage the data are obligated to protect it from any misuse or exploitation as well as to respect the rights of the data owners.
What does the GDRP mean for Philippine businesses?
The GDRP applies to any organization operating within the EU. It also includes organizations outside of the EU that offer goods or services to customers or businesses situated in the EU.
If a Philippine business has any dealings with or has customers in the EU, the said entity is required to abide by the GDRP.
According to the head of Economic and Trade Section of the EU Delegation Walter Van Hattum, adherence to European data privacy standards by Philippine companies or entrepreneurships could entice EU-based investors to engage in more business dealings with them.
How can Philippine businesses comply with the GDRP?
Organizations that already comply with the Data Privacy Act (DPA) will find it easier to abide by the GDRP due to the similarity in statutes between the two. The data protection officers of Philippine companies complying with the DPA already have the tools they need to perform GDRP-compliant roles efficiently.
The GDRP, much like the DPA, puts a high value on requiring the consent of users regarding the gathering of their information. The following guidelines have been set under the GDRP for the acquisition of user data:
An easy way for organizations to meet the terms of these guidelines is by having cookie banners, consent management, and internal privacy tools on their respective websites and/or web forms.
The GDRP also has provisions stating that users can opt out of automated processing which includes profiling. Similar to the DPA, companies are required by the GDRP to have someone review data handling procedures.
Moreover, under the GDRP, when there is a data breach or knowledge of a data breach, the organization is required to report this within 72 hours to the appropriate agencies.
What are the consequences for failing to comply with the GDRP?
Companies that fail to comply with the GDRP’s guidelines could be fined between €10 million (US$11.74 million) and €20 million (US$23.48 million) The severity of the fines will depend on the seriousness of the breach, if a breach was committed, as well as on how seriously the company has been complying with the GDRP.