What’s Next after Registration
Your National Privacy Commission has so far held seven data protectionofficers assemblies, with our staff hard at work in planning the next one. In each of these events, we have always strived to impress upon everyone the necessity of complying with the Data Protection Act, and endeavored to articulate in clear language what exactly a data handling organization must do to adhere to the law.Among these—in fact, the first imperative—is the designation of a Data Protection Officer. The DPO serves as a focal point for data privacy and security concerns within an entity; he or she stays on top of the processes and needs so that the mechanisms that keep our personal information safe may run smoothly.
As the enforcing agency for data privacy and protection, we at the NPC need to make sure that DPOs are in place for data handling organizations. We set a deadline for Phase One(1) registration: 9 September. Since that date fell on a Saturday, a non-working day, the deadline automatically moved to the next working day, on Monday of September 11, 2017.
I cannot emphasize enough the importance of registering your DPOs in this first phase. Failure to register may subject a company or an agency to compliance checks and depending on attendant circumstances may be considered evidence of unauthorized processing, a crime under the Data Privacy Act. For one thing, in case an organization suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence.
We will continue accepting DPO registration papers from organizations even after the Monday deadline but such will be considered “late registrants”, which could be included in the list of priority organizations for a data privacy compliance check.
A compliance check by the NPC means an organization will be subjected to a comprehensive compliance validation process based on 10 critical aspects of accountability, which the NPC has termed as the Data Governance Framework. The privacy check involves interviews, operations inspection, documents analysis, and pertinent activities intended to appraise the organization’s culture of privacy.
Much as we may want an extension, we are compelled by law to strictly enforce the September 9 deadline for organizations to register their data processing system, which is exactly one year following the date of effectivity of the Implementing Rules and Regulations.
I wish to congratulate those who managed to complete the registration on time. We are elated that PICs have responded to deliver what was required by the Data Privacy Act. We still haven’t determined the exact number of registrants who beat the deadline but a cursory look showed encouraging response coming from companies especially the large personal information controllers.
These PICs will be hearing more from the NPC in the aftermath. They have shown their commitment to comply. Now, we will continue to build on the momentum they have set within their own organizations.
Be that as it may, we continue to reach out to organizations—as partners and fellow advocates—so that we may all ultimately establish a culture of privacy in the country.
For news and updates, please like the National Privacy Commission’s page on Facebook. Email info@ privacy.gov.ph for comments and questions.