NPC warns late data processing registrants
Public and private companies that failed to beat the September 9 deadline for the registration of their data processing systems starting with the registration of their Data Protection Officer (DPO) could face compliance checks, the National Privacy Commission (NPC) warned.
“Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act,” said Chairman and Privacy Commissioner Raymund Enriquez Liboro.
Liboro explained that in case an organization suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence.
Liboro, however, said that NPC will continue accepting DPO registration papers from controllers and processors even after the deadline had been moved to Monday, Sept. 11, since Sept. 9 was a holiday.
Late registrants will be included in the list of priority organizations for a data privacy compliance check.
A compliance check by the NPC means an organization will be subjected to a comprehensive compliance validation process based on 10 critical aspects of accountability, which the NPC has termed as the Data Governance Framework.
The compliance check involves interviews, operations inspection, documents analysis, and pertinent activities intended to appraise the organization’s culture of privacy.
Section 47 of the IRR of the Data Privacy Act of 2012 requires personal information controller (PIC) or personal information processor (PIP) that employs 250 persons or more to register their information processing system with the NPC.
Those that employ fewer than 250 persons are also required to register if their operations involve the processing of personal data that may likely pose a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing includes sensitive personal information of at least one thousand (1,000) individuals.
Based on a record NPC got from Pag-IBIG, there are 9,800 companies in the country employ 250 people per company.
NPC has yet to get the entire number of firms that beat the deadline.
Several conglomerates have registered their DPOs with the NPC, among them are companies under the Ayala Group, the SM Group of companies, and the Lucio Tan Group. One of the first companies that were able to comply with the designation and registration of a DPO was Philippine National Bank one of the companies under the Lucio Tan group who submitted their registration as early as May this year.
In case the NPC finds an organization wanting, Liboro said the privacy compliance check could lead to the issuance of a Compliance Order, which enforces specifications to be performed by the company within a time period. In case the organization did not follow through satisfactorily, it will trigger a formal investigation that could possibly result in prosecution.