Professional Documents
Culture Documents
Professional Service
In Compliance with Republic Act 10173 (Data Privacy Act 2012)
Create &
Collect COLLECTION STORAGE
Consultation Updating or
Dispose & Storage & Modification
Destroy Transit Recording
USE Erasure
Retrieval
Retain
Analysis
DESTRUCTION
Use &
(Data at
Rest)
Distribution Organization and
Consolidation
Employees Stockholders
• Organic employees (regular and • Shareholders (past and
probationary) present)
• Project staff/ agency employees • Board of directors (past
• Consultants/ advisors and present)
• Potential employees/candidates
applying for job with us
• Previous employees (but records are
still with you)
Customers
• Individual customers
• Personal data of corporate customers Partners
• Potential customers • Vendors
• Third party service providers
• Corporate Office Visitors
Rights of the Data Subject
Right to be Right to DATA Right to ACCESS & Right to OBJECT /
INFORMED PORTABILITY CORRECT OPT-OUT
• Description of Personal • Data subjects have the • Data subject has the right • The Data subject shall
Data to be used and right to obtain from the BU to access – upon demand – have the right to withhold
processed a copy of his/her Personal any of the following: and/or revoke his/her
• Purpose/s for which they Data • Contents and Sources of consent
are being processed • The BU shall allow further Personal Data processed • Data subject may request
• Scope and Method of use by the Data subject of and stored for the suspension,
processing his/her own Personal Data • Manner by which withdrawal, blocking /
• Period for which Data will • The exercise of this right Personal Data was removal / destruction of
be stored primarily takes into account processed Personal Information from
the Data subject’s right to • Names and addresses of processing systems,
• Disclosure on Recipients of
have greater control over Recipients especially in cases where:
the Data (i.e., Personal
Information Processors) his/her Personal Data for • Reasons for the • Information is incomplete,
any further commercial disclosure of Personal outdated, false, or
purpose/s. Data to Recipients unlawfully obtained
• Data subject may dispute • Information is being used
any inaccuracies or errors for purpose/s not
in his/her Personal Data, authorized by the Data
and require the BU and/or subject
the outsourced Data • Information is no longer
Processors to correct it necessary for the
immediately. purpose/s for which they
were collected
WHEN DOES THE DPA APPLY
Controller versus Processor
Are you a Personal Information Controller (PIC) or Personal Information Processor (PIP)?
PIC PIP
“Personal Information Controller” “Personal Information Processor”
any person or any person or
organization who organization to whom a
personal information
controls the controller has
collection, holding, outsourced the
processing, or use processing of
of personal data personal data
WHEN DOES THE DPA APPLY
Scope of Application / Coverage
Scope of Application / Coverage
1) Unauthorized processing of 1 year to Php 500k to 9) Unauthorized access or 1 year to Php 500k to
personal information 3 years Php 2M intentional breach 3 years Php 2M
2) Unauthorized processing of 3 years to Php 500k to 10) Concealment of security 18 months to Php 500k to
sensitive personal information 6 years Php 4M breach involving sensitive 5 years Php 1M
personal information
3) Accessing personal information 1 year to Php 500k to
due to negligence 3 years Php 2M 11) Malicious disclosure 18 months to Php 500k to
5 years Php 1M
4) Accessing sensitive information 3 years to Php 500k to 12) Unauthorized disclosure of 1 year to Php 500k to
due to negligence 6 years Php 4M personal information to a third 3 years Php 1M
party
5) Improper disposal of personal 6 months to Php 100k to
information 2 years Php 500k 13) Unauthorized disclosure of 3 years to Php 500k to
sensitive personal information to a 5 years Php 2M
6) Improper disposal of sensitive 1 year to Php 100k to
third party
personal information 3 years Php 1M
14) Combination of the above: 3 years to Php 1M to
7) Processing of personal 18 months to Php 500k to
Unauthorized disclosure of 6 years Php 5M
Information for unauthorized 5 years Php 1M
personal information to a third
purposes
party
8) Processing of sensitive 2 years to Php 500k to
personal information for 7 years Php 2M
unauthorized purposes
5 Pillars of DPA Compliance
Data Protection Privacy Impact Privacy Data Privacy Security Personal Data
Officer Assessment Management Principles & Measures Breach
• Advocacy • Personal data flow Plan Security • Organizational Notification
• Breach • Identify and asses • Privacy notice Measures • Physical • What is subject to
management privacy risks • Privacy policy • Transparency • Technical notification
• Cooperation with • Address risks • Privacy manual • Legitimate • Who should notify
NPC Purpose • When should NPC
• Data Subjects and • Proportionality be notified
other authorities • When should the
• Ensure data subject be
compliance with notified
other duties &
requirements
Data Protection
Common Denominator for Statutes,
Regulations, Standards
Samples
Consent from the Data Subject
• Informed – declaration of
purpose/s for which
personal information will be
used, including entities (3rd
party/ies or otherwise) that
information will be given
access to
CONSENT: An informed indication
• Freely Given – evidenced
of will that is freely given, whereby by written or electronic
the Data Subject agrees to the means, initiated by the
collection and processing of his/her Customer
Personal Information.
Required Security Measures
Organizational Physical Technical
Security Security Security
• Appointment of a data • Limitation of access to • Security policy
protection officer areas processing personal • Network security controls
• Enforcement of data information • Ability to maintain CIA of
protection policies • Workstation design for processing systems
• Keeping records of privacy • Regular monitoring of
processing activities • Physical access controls to security breaches
• Training for personnel restricted areas where PI is • Ability to restore personal
handling personal processed. information from an
information • Secure handling of media incident
• Contractual controls for containing personal • Process to regularly test
outsourced data information the implemented security
processors • Secure destruction of measures
media containing personal • Encryption of personal
information information
Level of Risk Assessment
LOW RISK MEDIUM RISK HIGH RISK
Sensitive Personal
Data Stored No Personal Data Personal Information
Information
Includes Foreign
Origin -- Filipino Citizens only
Nationals
Onsite Onsite and Offsite Both Owned and via
Storage Access
(owned) (owned) Third Party/ies
Deliverables Deliverables
1. Training plan for DPO 1. Privacy Management Plan
2. Privacy Impact Assessment 2. Information security and data privacy policies and
3. Data Inventory procedures for data security
4. Data Classification Matrix 3. Privacy Notice for External use
5. Data Flow Diagrams 4. Consent Evaluation Report
6. Gap Analysis 5. Data Processing Policy
7. Data Privacy Remediation Roadmap 6. Formal Policies for the following:
a. User Access Data Correction
Effort: 60 mandays b. Data Destruction
c. Date Retention
d. Data Breach
7. Vendor Management Process for rapid evaluation of third
Note: party on security and privacy practices.
• Majority of the work are done onsite while some are performed 8. Customized training plan for data processors
remotely.
• The project effort is just estimated and dependent on the
complexity of the client’s business model. Effort: 90 mandays
DP Remediation Solutions
Technical Compliance Requirement ePLDT Solution
Privacy Impact Assessment for active systems in the Vulnerability Assessment
network. Network Assessment
Data Processing Security (security measures to protect VITRO Data Center
data against natural disasters, power disturbances, Cloud Solutions
external access, etc.)
Breach Monitoring (monitoring against security breach or Managed Security
unauthorized access)
Data encryption (at rest and in transit) Managed Security
Data Encryption
Data Loss Prevention
Mobile Device Management
Disaster Recovery DR as a Service
DR Site (Colocation)
Disaster Recovery Seats