Amendments to PH data privacy law needed – expert

Published February 4, 2021, 5:19 PM

by Bernie Cahiles-Magkilat

Amendments to the data privacy law in the Philippines to address compliance and accountability of organizations will help ensure protection of personal data amid an expected worsening of breaches as more employees work remotely.

According to Kevin Shepherdson, CEO and founder of Straits Interactive, amendments to the country’s existing Data Privacy Act (DPA) granting the National Privacy Commission power to impose financial sanctions on organizations without going to the judicial courts will certainly go a long way. Straits Interactive offers innovative privacy solutions to organization.

Kevin Shepherdson, CEO and founder of Straits Interactive (Photo credit:

Other actions that NPC can take is to create a data protection trustmark similar to what Singapore has introduced for organizations to adopt. “This will provide an ROI for rewarding organizations to seriously implement their data privacy programs that will be audited by an assessment body,” Shepherdson said.

In the Philippines, he said, the NPC (National Privacy Commission) is expected to also roll out its own certification program by accrediting organizations to conduct the Data Privacy Officer (DPO) ACE (Accountability, Compliance and Ethics) program, aimed at establishing a skills benchmark for local privacy professionals.

In terms of scale, he said the Philippines data privacy landscape is still relatively in the infant stage compared with its European counterparts. The National Privacy Commission has actively pursued education and awareness programs for the general public in the last few years from the time the DPA came into effect. The NPC has also initiated various programs such as Privacy Awareness Week, forums and DPO ACE training programs.

COVID-19 has certainly raised awareness of the importance of privacy and enforcement actions from NPC will certainly prompt organizations to take the DPA seriously.

He pointed out though that NPC’s commissioner Raymond Liboro has put the Philippines on the world stage by earning the country a voting seat on the exclusive 5-member executive committee of the International Conference of Data Protection and Privacy Commissioners or the ICDPPC. 

NPC has also been chosen to lead efforts of Covid-19 Task Force (which is a new working group within the Global Privacy Assembly) in influencing global policy discussions on data privacy during the pandemic. These efforts do not just benefit the Philippines but also the ASEAN region as well – and NPC should continue representing the interests of the region at the world stage.

Singapore and the Philippines are currently at the forefront of personal data privacy and protection in the region. Both countries are co-leading the efforts in developing the ASEAN Framework on Digital Data Governance.

In terms of maturity though, he said, Singapore has the more mature data protection law. For example, he cited Singapore’s PDPC’s (Personal Data Protection Protection Commission) successful Practitioner Certificate in Personal Data Protection which is an exam-based preparation and certification for local DPOs, is being extended from two days to three days and will roll out in 2021.

Currently, Malaysia is only the other country in ASEAN that has an active data protection law in place.  But by the end of 2021, all the founding members of ASEAN will have rolled out data protection laws.

“Expect the other ASEAN countries to look to both Singapore and the Philippines in terms of leadership in privacy and data protection best practices,” said added.

In the meantime, he said “the threat of data breaches will be ever present especially in digitally driven businesses. What organizations need to do is to ensure that they have the capability to respond to breaches and regularly train employees on the company’s preventive and control measures. But as indicated earlier, we also expect more privacy breaches to happen as well.”

“In my opinion, data breaches will worsen, especially due to the remote working approach where IT support may find it challenging to address and fix all the security gaps in the organization’s infrastructure,” he said.

He cited the IBM Security’s Cost of a Data Breach Report 2019 and 2020, which showed that the average cost of a data breach is $3.92 million and US$3.86 million, respectively.  The research, which is conducted by the Ponemom institute, indicated that the total cost of a breach specifically in ASEAN is

$2.71 million in 2020 compared to $2.15 million.

Although high data breach costs do not necessarily mean that there is a high frequency of data breaches within the country, Shepherdson said the IBM report also showed that the United States (US) and the Middle East countries have currently incurred the highest data breach costs at $8.64 million on average, and $6.52 million, respectively

To safeguard their data in 2021, they should adopt good Governance, Risk Management and Compliance (GRC) relating to the handling and management of personal data.

This means, organizations should put in place committees to govern and protect the personal data they possess.

To manage risk, an organization should identify all the common privacy and security risks.  For example, if you have an online portal, web site or application, do a penetration test. This means you ethically hack into your own software to look for vulnerabilities that a cyber attacker can exploit. Once you have identified the potential gaps, create measures to fix the gap. Additionally, organizations should also have implemented all the proper security measures and access controls in place that are appropriate for your operations.

To ensure compliance, companies this year 2021 need to comply with the requirements of the PDPA. This means that organizations should be putting together policies and procedures to protect personal data. The regulators expect the organisation to demonstrate accountability if they face a data breach and get into trouble with the data protection and privacy law.

Organizations need to continue to reinforce what we call the “4Ds” in 2021 – Data Protection Officer, Data Protection Impact Assessments (PIAs), Data Protection by Design in their Data Privacy Management Program.

“2021 will also see the EU’s General Data Protection Regulation (GDPR) and ISO 27701 firmly established as de facto standards used for operational compliance and data privacy management,” he said.

He noted that many of the new upcoming laws and amendments in the region especially in Thailand, Indonesia, India and even China use GDPR as a reference standard. Even the upcoming changes in the Philippines Data Privacy Act is intended to keep the local legislation up-to-date with the GDPR.

Organizations operating in the region are therefore expected to use GDPR to ensure regional compliance. It is also expected that the ISO 27701, which is the international standard for privacy management systems, to gain greater adoption in 2021 and the years ahead as it is jurisdiction neutral.