In Manila, we just ran the second Data Privacy Workshop jointly with the National Privacy Commission. Again, we were fully booked as more and more people, companies and their managers understand that there is no escape from the full implementation of the Data Privacy Law (DPL).
Under the DPL, companies will be subject to new requirements. For most companies, the new requirements will raise the bar above current privacy practices. Despite its complexity and new requirements, complying with the DPL can be accomplished by following a five step roadmap, involving people, processes and technology. For all five phases, use a combination of your team, a defined process, and technology tools. People – Identify the team members who will be responsible for conducting the tasks and whose informational inputs are necessary for a comprehensive assessment. Ensure that everyone involved is trained on the process and technology. Ideally team members will be well versed in data privacy management requirements and best practices. Process – Design the workflow of information gathering and identify gaps against the requirements. Leveraging best practices and templates in questionnaire form instead of manual checklists will build efficiency. A business will likely need multiple templates to address different types of risk; however, a single template may be effectively used to address a set of processing operations that present similar high risks. Technology – Data privacy management technology platforms with built-in digital data discovery, data inventory, assessment templates, cookie consent, workflows, and reporting will enable a team to collaborate, guide the workflow process, serve as the central repository of compliance evidence, and facilitate ongoing periodic audits that reflect business changes
Begin by identifying the key stakeholders who may reside in these departments:
• Human resources
• Information security
• Product management
• Website development.
You need to compare your current practices against a comprehensive list of the new requirements, including the following areas:
Collection and Purpose Limitation – does your company have the right to collect the information it collects, and does it use the information only for those limited purposes?
Consent – does your company obtain the right consent for its data processing activities?
Data Breach Readiness and Response – is your company ready to handle data breaches according to the DPL’s requirements?
Data Quality – what measures does your company take to help ensure the relevance, timeliness, accuracy, and completeness of the personal information it holds?
Individual Rights & Remedies – a key change under the DPL is the expansion of individual rights to include, for example, the Right to Information, Right to Access, Right to Rectification, Right to Restrict Processing, Right to Object, Right to Erasure and Right to Data Portability. Because of this expansion, companies’ existing policies, processes, and procedures must be reviewed. In some cases technological changes will need to be made.
Privacy Program Management – how does your company build, oversee, and demonstrate sound privacy practices?
Security in the Context of Privacy – what technical and procedural measures are in place and designed to protect your company’s personal data?
Transparency – how does your company disclose its data handling practices to data subjects?
The DPL is a complex regulatory regime. Some companies may feel comfortable with their current resources available in-house, whereas others may want to consult an expert or work with a team of professionals to help with certain pieces of the assessment, implementation, and maintenance. Experts can be hired to provide recommendations. Regardless of how you choose to approach your DPL assessment, implementation and maintenance, take the time to assess the nature of your current program status.
We are planning to bring the Data Protection Workshop to Cebu in November. For information contact firstname.lastname@example.org.
by: Henry Schumacher