The Importance of Protecting Personal Data
In 2017, 2.7 million data records were compromised by data breaches globally. Of this number, more than two-thirds involved identity theft followed by financial breaches. In the digital age, bank accounts aren’t the most attractive thing to steal anymore; it’s data. And more and more organizations and companies worldwide are realizing this growing threat and the need to set up appropriate safeguards.
A company’s human resource department, for example, produces and gathers gigabytes of confidential data about the organization and its employees every day. It’s the responsibility of the company and all other Personal Information Controllers (PIC) that collect, hold, process, or use personal information to protect all that data. With the implementation of Republic Act No. 10173 in 2012 or the Data Privacy Act (DPA), that responsibility has now become a matter of following the law.
The DPA requires these Personal Information Controllers to observe the data privacy of their clients and follow the principles of the law: to protect personal (“any information which can be linked to your identity, thus making you readily identifiable”) and sensitive personal (race, age, marital status, religion, health, education, social security details, health records, etc.) information.
There are several aspects of the DPA in which HR practitioners and other PICs are particularly affected.
Consent
Under the DPA, companies and PICs must obtain a person’s explicit consent. It is also the right of the data subject, the person, to give his or her consent to collect and process their personal information in either written, electronic, or recorded form.
While companies typically gain consent when employees sign their employment contract, the DPA tightens this requirement and makes it even clearer. Employees must be aware that they are consenting to the collection and processing of their information and not merely agreeing to employment clauses. Explicit consent is important as implied consent isn’t considered valid.
Right to be Forgotten
The DPA also gives data subjects the right to order the removal or destruction of their data. Companies and PICs must do this if any of the following are present:
- The information is incomplete, false, outdated, or unlawfully obtained.
- The information is being used for unauthorized purposes.
- The information they have is no longer necessary or needed for the purpose they were collected in the first place.
- The individual withdraws his or her consent.
- The information is considered to be prejudicial to the individual.
- The information was unlawfully processed or the company violated the rights of the individual.
DPO Appointment
Under the DPA, it simply isn’t enough for companies to leave its implementation to the HR Department. All organizations are required to appoint a Data Protection Officer whose primary responsibility is to be accountable for ensuring the company’s compliance with all data protection laws and regulations. This can be an individual or several people within the company.
Data Breach Notification
In the event of a data breach, companies are required to notify the National Privacy Commission within 72 hours upon uncovering the breach, or when they believe it occurred, for proper escalation and guidance. They also need to notify the individuals whose data were put at risk and inform them of the steps the company is taking to address the situation.
This is just one part of the rights of data subjects which also include, but are not limited to, the right to have reasonable access to their personal information, the right to rectify an error in their personal information, and the right to object to the processing of personal data.
Compliance and Cooperation
In light of the growing threat of cyber attacks across various industries around the world, and the subsequent rise of data privacy laws in the European Union and the rest of Asia, it would be prudent for companies to realize the task ahead of them in securing the data of their clients and customers.
While compliance poses some organizational challenges, the benefits far outweigh them. In the eyes of consumers and clients, data privacy compliance builds trust as it shows them that their data is safe and protected in your company’s hands and, therefore, their business will be as well.
Learn how your companies can be compliant to avoid fines and criminal liabilities by attending Higher Heights Training and Events’s seminar on Data Privacy Act: A Step by Step Compliance on September 8, 8:00AM – 5:00AM at the Technopark Hotel, Sta Rosa City. For more details on the seminar and other business tips, visit HigherHeights.ph or https://www.facebook.com/higherheights.ph/