You are on page 1of 26

ePLDT Data Protection

Professional Service
In Compliance with Republic Act 10173 (Data Privacy Act 2012)

Chris de los Santos


ePLDT Group Data Protection Officer
Chris de los Santos
ePLDT Group Data Protection Officer (DPO)
Head of Professional Services (ePLDT Business Services)
Has more than 18 years experience in the Information and Communications
Technology Industry and is currently the Head of Professional Services in ePLDT
and the ePLDT Group’s Data Protection Officer.

Head of Professional Data Protection Officer


Services • Accountable for ensuring compliance of the ePLDT Group to
• Responsible for assessing the applicable laws and regulations for the protection of data privacy
client’s enterprise architecture, and security (Republic Act 10173).
recommending a digital • ePLDT delivers best-in-class digital business solutions utilizing
transformation strategy, and purpose-built cloud and data center facilities.
implementing the target
architecture. • The ePLDT Group includes:
• Helps clients transition into a • AGS (ABM Global Solutions) - a business management
managed service model for solutions enabler focused on Enterprise Resource Planning
improved, effective, and and Spend Management
efficient operations. • Curo Teknika - an IT & business process management
outsourcing company
• ePDS - a client communications managed service provider
engaged in document management and digital printing
• IPC (IP Converge Data Services, Inc.) - a leading data center
operator and pioneer cloud services provider
Data Privacy Act of 2012 (RA 10173)
• IRR was published on August
25, 2016 (effectivity: September
10, 2016).
• Impacts all industries,
businesses, and offices
processing Personal
Information.
• Personal Information Controllers
(PIC) / Processors (PIP) must
register their processing
systems/operations with the
National Privacy Commission
(NPC) by September 10, 2017.
What is Personal Information?

The identity of an individual is


apparent or can be
reasonably ascertained.

When put together with other


information sources would be
able to identify an individual.
What is Sensitive Personal Information?
Age, Marital Status, Color, Religion, Race, Ethnic Origin,
Philosophical or Political Affiliation

Education, Health, Genetic or Sexual Life, Criminal


History

Government issued identifiers

Established by an Executive Order or Law as classified


information
WHEN DOES THE DPA APPLY
Processing of Personal Information Processing of Personal Information

Create &
Collect COLLECTION STORAGE
Consultation Updating or
Dispose & Storage & Modification
Destroy Transit Recording

USE Erasure
Retrieval
Retain
Analysis
DESTRUCTION
Use &
(Data at
Rest)
Distribution Organization and
Consolidation

Personal Data Lifecycle “Processing”


Who are the Data Subjects?

Employees Stockholders
• Organic employees (regular and • Shareholders (past and
probationary) present)
• Project staff/ agency employees • Board of directors (past
• Consultants/ advisors and present)
• Potential employees/candidates
applying for job with us
• Previous employees (but records are
still with you)
Customers
• Individual customers
• Personal data of corporate customers Partners
• Potential customers • Vendors
• Third party service providers
• Corporate Office Visitors
Rights of the Data Subject
Right to be Right to DATA Right to ACCESS & Right to OBJECT /
INFORMED PORTABILITY CORRECT OPT-OUT

• Description of Personal • Data subjects have the • Data subject has the right • The Data subject shall
Data to be used and right to obtain from the BU to access – upon demand – have the right to withhold
processed a copy of his/her Personal any of the following: and/or revoke his/her
• Purpose/s for which they Data • Contents and Sources of consent
are being processed • The BU shall allow further Personal Data processed • Data subject may request
• Scope and Method of use by the Data subject of and stored for the suspension,
processing his/her own Personal Data • Manner by which withdrawal, blocking /
• Period for which Data will • The exercise of this right Personal Data was removal / destruction of
be stored primarily takes into account processed Personal Information from
the Data subject’s right to • Names and addresses of processing systems,
• Disclosure on Recipients of
have greater control over Recipients especially in cases where:
the Data (i.e., Personal
Information Processors) his/her Personal Data for • Reasons for the • Information is incomplete,
any further commercial disclosure of Personal outdated, false, or
purpose/s. Data to Recipients unlawfully obtained
• Data subject may dispute • Information is being used
any inaccuracies or errors for purpose/s not
in his/her Personal Data, authorized by the Data
and require the BU and/or subject
the outsourced Data • Information is no longer
Processors to correct it necessary for the
immediately. purpose/s for which they
were collected
WHEN DOES THE DPA APPLY
Controller versus Processor
Are you a Personal Information Controller (PIC) or Personal Information Processor (PIP)?

PIC PIP
“Personal Information Controller” “Personal Information Processor”
any person or any person or
organization who organization to whom a
personal information
controls the controller has
collection, holding, outsourced the
processing, or use processing of
of personal data personal data
WHEN DOES THE DPA APPLY
Scope of Application / Coverage
Scope of Application / Coverage

Involves the personal data of a Philippine


citizen or Philippine resident

Processing of personal data is being done


in the Philippines

Processing of personal data is done by an entity with links to the


Philippines”
(e.g., equipment in the Philippines; office/branch/agency in the Philippines; contract entered in the
Philippines; carries on business in the Philippines)
Penalties for Non-Compliance
• The higher range of penalties of
imprisonment and fine are imposed in case
sensitive personal information are involved.
• The maximum penalties are imposed if the
data breach on personal information of at
least 100 persons are harmed, affected, or
involved.
• If the offender is a corporation, the penalty
shall be imposed upon the responsible
officers, as the case may be, who
participated in, or by their gross negligence,
allowed the commission of the crime.
Penalties for Non-Compliance
Acts of Negligence Imprisonment Fine Acts of Negligence Imprisonment Fine

1) Unauthorized processing of 1 year to Php 500k to 9) Unauthorized access or 1 year to Php 500k to
personal information 3 years Php 2M intentional breach 3 years Php 2M
2) Unauthorized processing of 3 years to Php 500k to 10) Concealment of security 18 months to Php 500k to
sensitive personal information 6 years Php 4M breach involving sensitive 5 years Php 1M
personal information
3) Accessing personal information 1 year to Php 500k to
due to negligence 3 years Php 2M 11) Malicious disclosure 18 months to Php 500k to
5 years Php 1M
4) Accessing sensitive information 3 years to Php 500k to 12) Unauthorized disclosure of 1 year to Php 500k to
due to negligence 6 years Php 4M personal information to a third 3 years Php 1M
party
5) Improper disposal of personal 6 months to Php 100k to
information 2 years Php 500k 13) Unauthorized disclosure of 3 years to Php 500k to
sensitive personal information to a 5 years Php 2M
6) Improper disposal of sensitive 1 year to Php 100k to
third party
personal information 3 years Php 1M
14) Combination of the above: 3 years to Php 1M to
7) Processing of personal 18 months to Php 500k to
Unauthorized disclosure of 6 years Php 5M
Information for unauthorized 5 years Php 1M
personal information to a third
purposes
party
8) Processing of sensitive 2 years to Php 500k to
personal information for 7 years Php 2M
unauthorized purposes
5 Pillars of DPA Compliance

Data Protection Privacy Impact Privacy Data Privacy Security Personal Data
Officer Assessment Management Principles & Measures Breach
• Advocacy • Personal data flow Plan Security • Organizational Notification
• Breach • Identify and asses • Privacy notice Measures • Physical • What is subject to
management privacy risks • Privacy policy • Transparency • Technical notification
• Cooperation with • Address risks • Privacy manual • Legitimate • Who should notify
NPC Purpose • When should NPC
• Data Subjects and • Proportionality be notified
other authorities • When should the
• Ensure data subject be
compliance with notified
other duties &
requirements
Data Protection
Common Denominator for Statutes,
Regulations, Standards

Samples
Consent from the Data Subject
• Informed – declaration of
purpose/s for which
personal information will be
used, including entities (3rd
party/ies or otherwise) that
information will be given
access to
CONSENT: An informed indication
• Freely Given – evidenced
of will that is freely given, whereby by written or electronic
the Data Subject agrees to the means, initiated by the
collection and processing of his/her Customer
Personal Information.
Required Security Measures
Organizational Physical Technical
Security Security Security
• Appointment of a data • Limitation of access to • Security policy
protection officer areas processing personal • Network security controls
• Enforcement of data information • Ability to maintain CIA of
protection policies • Workstation design for processing systems
• Keeping records of privacy • Regular monitoring of
processing activities • Physical access controls to security breaches
• Training for personnel restricted areas where PI is • Ability to restore personal
handling personal processed. information from an
information • Secure handling of media incident
• Contractual controls for containing personal • Process to regularly test
outsourced data information the implemented security
processors • Secure destruction of measures
media containing personal • Encryption of personal
information information
Level of Risk Assessment
LOW RISK MEDIUM RISK HIGH RISK
Sensitive Personal
Data Stored No Personal Data Personal Information
Information

Volume of Data ≤ 250 Records ≤ 1,000 Records > 1,000 Records

Includes Foreign
Origin -- Filipino Citizens only
Nationals
Onsite Onsite and Offsite Both Owned and via
Storage Access
(owned) (owned) Third Party/ies

Storage Location -- One Site only Multiple Sites

Both Non-Digital and


Storage Media Non-Digital only Digital only
Digital Storage
Privacy Impact Assessment

• Privacy risk: probability that the data processing or other activity


involving personal data will result in a loss of the rights and
freedom of an individual.
• Risk level may be adjusted for severity, likelihood, and magnitude.
Privacy by Design (PbD)

The organization’s approach to


privacy protection can be
assessed against the seven
PbD Principles to establish its
overall privacy posture.
Registration & Compliance Requirements
Under section 46 of the IRR, the Commission requires
the following to ensure compliance with the DPA:
• REGISTRATION of personal data processing systems
operating in the Philippines involving accessing or
requiring sensitive personal information of at least
1000 individuals
• NOTIFICATION of automated processing operations
where processing is the sole basis for decisions to be
made significantly affecting the data subject
• ANNUAL REPORTING of the summary of
documented security incidents and personal data
breaches
• COMPLIANCE WITH OTHER REQUIREMENTS as
may be provided by the Commission.
ePLDT Data Protection
Professional Service

ePLDT Highly Confidential


DP Consulting Phases
Phase 1 – Baseline/Gap Analysis Phase 2 – Plan Development/Getting Compliant

Analyze Design Build Deploy


A compliance baseline is created Gap Analysis is performed to All variance between the In the Deploy Stage, the new
which covers the following areas: determine the variance between desired end-state and the processes, policies, and
• Data Inventory the baseline established in the baseline are either enhanced or procedures are rolled out to the
• Data Classification/ Control Analyze stage and the established, depending on their company. An overall culture of
Framework
processes, policies, and existence. It is in this stage security and privacy is created
• Process Inventory
• Privacy Policy procedures that should be where work is concentrated on in the company through the
• Privacy Notice practiced for compliance with meeting the project objectives. established communication
• Consent Review the Data Privacy Act (RA It is also in this stage where all plan as well as training
• Data Processing Policy 10173). works are tested. programs.
• Procedure For Objection
• User Access Policy and Procedure
• Data Correction
• Complaint Procedure
• Data Retention
• Data Destruction
• Data Breach
• Vendor Management
• Privacy Training
• Plan Monitoring
Phase 1 – Baseline/Gap Analysis Phase 2 – Plan Development/Getting Compliant
This phase includes the creation of a training plan for the This phase includes all the policy development stages,
Data Protection Officer (DPO) and the Gap Analysis breach recovery planning and testing (Build & Deploy
(Analyze & Design Stages). Stages).

Deliverables Deliverables
1. Training plan for DPO 1. Privacy Management Plan
2. Privacy Impact Assessment 2. Information security and data privacy policies and
3. Data Inventory procedures for data security
4. Data Classification Matrix 3. Privacy Notice for External use
5. Data Flow Diagrams 4. Consent Evaluation Report
6. Gap Analysis 5. Data Processing Policy
7. Data Privacy Remediation Roadmap 6. Formal Policies for the following:
a. User Access Data Correction
Effort: 60 mandays b. Data Destruction
c. Date Retention
d. Data Breach
7. Vendor Management Process for rapid evaluation of third
Note: party on security and privacy practices.
• Majority of the work are done onsite while some are performed 8. Customized training plan for data processors
remotely.
• The project effort is just estimated and dependent on the
complexity of the client’s business model. Effort: 90 mandays
DP Remediation Solutions
Technical Compliance Requirement ePLDT Solution
Privacy Impact Assessment for active systems in the Vulnerability Assessment
network. Network Assessment
Data Processing Security (security measures to protect VITRO Data Center
data against natural disasters, power disturbances, Cloud Solutions
external access, etc.)
Breach Monitoring (monitoring against security breach or Managed Security
unauthorized access)
Data encryption (at rest and in transit) Managed Security
Data Encryption
Data Loss Prevention
Mobile Device Management
Disaster Recovery DR as a Service
DR Site (Colocation)
Disaster Recovery Seats

ePLDT Highly Confidential


Thank You!

You might also like