Guide to the Philippines Data Privacy Act (DPA)

In this guide:

  1. Overview of the Philippines DPA
  2. Keys to ensuring compliance
  3. Get ahead of data privacy changes

Overview of the Philippines Data Privacy Act (DPA)

The Philippines created the Data Privacy Act (DPA) in 2012 to establish much-needed data protection rights in the country. To this day, the DPA is considered the crucial legislative framework governing data privacy issues across the board. The data subject rights granted within align closely with global standards like the European Union’s General Data Protection Regulation (GDPR) and are critical to allow the general public greater control over their personal information online. In 2016, the National Privacy Commission (NPC) was created to oversee the enforcement of the DPA. That same year, the NPC issued a supplementary piece of legislation called the Implementing Rules and Regulations Act (IRR) to more clearly define the exact requirements placed upon organizations processing personal data.

The DPA applies to the processing of personal information for any Philippine citizen or resident, regardless of the global location of the organization doing the processing. This extraterritorial scope is critical, as it holds companies abroad accountable when collecting and processing data by ensuring these groups properly care for all obligations included in this law. At the same time, the clear guidelines set forth in the IRR help businesses become compliant so they can avoid facing penalties while increasing consumer trust in the digital age.

At its core, the Philippines DPA protects individuals’ data privacy by creating the following data subject rights:

  • Right to be informed: Data subjects are entitled to be informed in a simple and concise manner before their personal data is collected. Information must be presented in an easy-to-understand format about all of the relevant aspects of the data processing, including the purpose for which the data is being collected.
  • Right to access: Data subjects have the right to review any information about themselves held by a person or entity, the manner in which their personal data was collected, the reasons for its collection and at whose request it was collected, as well as transfers made or planned to be made upfront.
  • Right to rectification: Data subjects have the right to correct their information held by an organization if it is partially or totally incomplete or inaccurate, an error is clear, it is no longer necessary or relevant, or the original reasons established for processing have expired or changed in any way.
  • Right to erasure: Data subjects have the right to have the processing organization delete information about them if it is partially or totally incomplete or inaccurate, an error is clear, it is no longer necessary or relevant, or the original terms established for processing have expired. These reasons match those laid out in right to rectification.
  • Right to object or opt-out: Data subjects have the right to reject data processing by an organization in certain instances, provided there are legitimate reasons due to a specific personal situation or if the personal data was obtained from publicly-available sources and the data subject never consented to the data collection and processing at an earlier date.
  • Right to data portability: The format used to provide data subjects with the information requested must be clear and easy to read with the ability to be sent to another organization of the data subject’s choosing easily and in a format the receiving entity can import with minimal effort.
  • Right not to be subject to automated decision-making: Data subjects have the right to reject automated decision-making using their personal data or any information that represents them. This is akin to “opting out” of data processing, but involves only automated processes.

Any organization collecting and/or processing personal data must respect these rights and share clear processes and procedures for the public to exercise them with documentation each step of the way.

When exercising these data subject rights, a response period is allowed for the business to reply to the relevant request appropriately. Those who do not do so in a timely fashion can be subject to penalties in the form of fines and legal action depending on the severity of the offense.

(Source: Philippines National Privacy Commission website)

Keys to ensuring compliance

Many obligations are placed on businesses to ensure the proper handling of personal data as a result of the DPA implementation. These can be time-consuming and costly to implement, but this is an opportunity for companies to differentiate themselves from the market standard by showing data privacy is a priority for the greater public good. Plus, data privacy laws are becoming more stringent around the world and compliance is a must anyways, so it’s best to stay ahead of the trends before legal repercussions start cutting into your bottom line. Making data privacy a priority will build consumer trust for the brand while safeguarding your organization from enforcement agencies.

Specifically, the DPA establishes the following obligations on businesses:

  • Process personal data only after obtaining informed, explicit, and unequivocal consent from the data subject. Avoid collecting personal data through fraudulent, unfair, or illegal means. Ensure that the compiled personal data is updated, necessary, relevant, and adequate for the explicit and legal purposes for which it was obtained. This is perhaps the biggest responsibility of any data controller or processor.
  • Do not use processed personal data for purposes other than the ones that prompted its initial collection, unless undergoing anonymization or dissociation procedures. Store personal data in a manner that enables and facilitates the data subject to exercise their rights. Correct or replace inaccurate or incomplete personal data within a reasonable time frame once made aware of the error(s).
  • Delete personal data when it is no longer necessary or related to the original purpose expressed to the data subject, or when the processing term has expired. The only exception is if the information is subjected to anonymization or dissociation processes. Ensure that the marketing of personal data in databases complies with the regulation of the law.
  • Implement technical, organizational, and legal measures to reasonably ensure the security of held personal data. Entities must do what they can to prevent the alteration, loss, unauthorized processing, or access of stored personal data proactively and document it accordingly. Personal information databases must meet NPC guidelines for security requisites and conditions, and processing personal data in non-compliant databases is prohibited.
  • Provide the NPC with required information regarding the processing of personal data and report any data breaches promptly to provide seamless communication with the public. By being transparent, this can help lessen fines and potentially avoid legal action if appropriate security measures can be demonstrated via thorough documentation.

It’s also important to be careful when transferring data across borders, as this is allowed only if the proposed recipient countries have adequate data protection mechanisms. There are additional requirements placed on these types of data transfers. Be careful when doing this and review international laws carefully, as some countries do prohibit this without express consent from the local governing agency.

With so much included as part of Philippines DPA, the following best practices are the most efficient way to keep your company’s data privacy processes and procedures a step ahead of global data privacy regulations:

  1. Establish a robust privacy policy: Develop and maintain a comprehensive privacy policy that clearly communicates how personal data is collected, processed, and protected. Ensure that the privacy policy is easily accessible to data subjects.
  2. Implement explicit consent mechanisms: Obtain explicit and informed consent from individuals before collecting, processing, or using their personal data. Clearly communicate the purposes for data processing and allow individuals to make informed decisions about their information.
  3. Data minimization and purpose limitation: Practice data minimization by collecting only the minimum amount of personal data necessary for the intended purposes. Ensure that data processing activities align with the specific purposes for which consent was obtained.
  4. Secure data management: Implement robust security measures to protect personal data from unauthorized access, disclosure, or alteration. Regularly assess and update security protocols to address evolving threats.
  5. Ensure data accuracy and currency: Establish procedures to maintain the accuracy, completeness, and currency of personal data. Regularly review and update records to reflect any changes in individuals’ information.
  6. Enable Data Subject Rights: Facilitate the exercising of data subject rights, including the right to access, correct, and delete personal data. Establish mechanisms for individuals to easily submit requests related to their data.
  7. Anonymization and pseudonymization: Where applicable, utilize anonymization or pseudonymization techniques to process personal data, especially if it is still possible to fulfill the intended purposes through these methods.
  8. Train employees on data protection: Provide comprehensive training to employees on data protection principles, DPA requirements, and the organization’s privacy policies. Foster a culture of privacy awareness and responsibility.
  9. Regularly audit and monitor compliance: Conduct regular internal audits to assess compliance with DPA requirements. Monitor data processing activities to identify and address any deviations from established privacy practices.

It is vital to keep careful documentation of every step taken to respect data subject rights and protect personal information. Most governing bodies around the world review the full body of work and consider the steps taken proactively, especially when a data breach does occur unexpectedly. Gross negligence and a lack of documentation prompt the most severe repercussions, so it’s important to be proactive about establishing the proper business practices.

Remember: requirements to care for personal data being collected and processed aren’t going away. The options are clear. Either make it a priority and get ahead of the competition, or fall behind and lose customers while damaging your bottom line every step of the way.

Get ahead of data privacy changes

Personal data protection is imperative for businesses engaged in online service delivery today, especially for sensitive data. New regulations are enacted up every day in various countries around the world. The trend is that these regulations continue to require more stringent opt-in policies while granting consumers more rights to review, correct and remove their data. This increases the accountability and obligations of every organization processing personal identifiable information (PII).

But the responsibility still falls on the individual to oversee, assess, update and delete their own data wherever it may be found and dispersed across the internet.

This becomes a massive lift for any business looking to protect their organization from data breaches. When working to protect an entire company, it is practically impossible for a single person or small team to manage External Data Privacy without assistance from a specialized team of experts. The identification and subsequent elimination of exposed data plays a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks, including phishing, against an organization by closing the data protection gap.

That’s why Privacy Bee emerges as the optimal solution. The time-consuming process of finding and eradicating information exposures is a must to complement mature cybersecurity programs today, and Privacy Bee covers every site across the internet exposing your organization’s data. This data monitoring and deletion service is especially effective for executives who are highly visible to the general public.

Using sophisticated automation processes backed by an active human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of an expensive data breach. Industry estimates put the cost of a single data breach right around $9 million USD. That can be crippling for any business especially when repeat breaches occur–not to mention the fines from noncompliance–which is why a proactive approach for maximum security is a must.

Social engineering attacks are the biggest and fastest-growing data breach threat, no matter how sophisticated an organization’s cybersecurity program is today. If your approach to these attacks isn’t already incredibly thorough and externally-focused, then threat actors still have a lucrative way to target your organization.

Ideally, you are already conducting risk assessments and vendor surveys as well. If so, well done! However, it is absolutely essential to recognize vendors are most susceptible to a breach via social engineering attacks relying on exposed data. Privacy Bee not only minimizes the proliferation of your organization’s data across the vast digital landscape but also extends its protection to vendors, helping you ensure third party partners do not serve as the weak link in your security defenses or put you at risk of noncompliance. Don’t miss this step, as there are far too many massive organizations falling victim to cyberattacks due to a vendor’s lack of proactive security.

Why would somebody do this?

In the ever-growing billion-dollar surveillance industry, Data Brokers and People Search Sites are the key players. They reap record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information directly for clicks or compile it all to sell on again top yet another organization. Suddenly, you and your employees’ personal data can be easily found via quick Google Search.

If it’s that simple to find you and your coworker’s information, then threat actors can launch cyberattacks at scale by targeting the most vulnerable team members with emotionally engaging messaging that turns even the most highly-trained professionals into victims on a regular basis. The only way to prevent this is by stopping the data flow at the source. The consequences are simply too costly to risk:

  • A solitary data breach leads to massive productivity losses, expensive remediation efforts, and recurring breach incidents.
  • This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against.
  • The initial data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time.
  • Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.

Privacy Bee combats threat actors lurking beyond your organization’s perimeters. By meticulously analyzing every location across the internet where your personal and sensitive data resides, then swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and exposes your information in the process.

Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization. This unchanging goal is the reason we offer no-charge monitoring services and deletion guides. You need only reach out when help is needed.

Privacy Bee protection covers a wide range of potential threats, including:

  1. Data breaches
  2. Social engineering attacks
  3. Doxxing
  4. Spam emails
  5. Telemarketing calls
  6. Cyberstalking
  7. Identity theft
  8. Swatting
  9. Blackmail
  10. And more!

Privacy Bee is quickly emerging as the next necessary tool in your security tool belt. There’s no better addition for business leaders with a mature cybersecurity program wanting to protect employee and customer data in the midst of innovative threat actors using AI and other new apps to scale their efforts.

Privacy is more important and harder to come by than ever. Today, you need a trusted partner fighting to preserve your personal and organizational integrity.

Learn More
Including External Data Privacy in Procurement Events
Previous article

Procurement Professionals – The Case for Requiring External Data Privacy Requirements in ALL Vendor RFx
Next article

The Six Industries with the Highest External Data Privacy Risk

Six industries with highest external data privacy risk

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?