Audit of privacy law compliance pushed
The National Privacy Commission wants an audit of companies and government entities on their compliance with the National Privacy Act, a government official said yesterday.
Privacy commissioner Dondi Mapa said the agency was planning to hire an accountability agent, in line with Asia-Pacific Economic Cooperation (Apec) rules.
He was referring to the Apec’s cross border privacy rules system, under which the Philippines could assign an accountability agent that needed to be approved by other member states.
“The accountability agent is the one that does that audit, the results of which will be submitted to us,” Mapa said at the sidelines of a forum organized by Microsoft Philippines.
The agency, he said, hoped to start the process within the next two years.
The privacy commission is pursuing this direction as private entities need to comply with the privacy law by Sept. 9 this year. That date marks the end of the one-year grace period since the law’s implementing rules and regulations were published last year.
Article continues after this advertisementUnder the rules, companies with at least 250 employees or those that handle data of at least 1,000 people need to hire a data protection officer, the first step toward compliance.
Article continues after this advertisementAccording to the law’s IRR, a data subject refers to any individual whose personal or privileged information, such as names, addresses and birthdays, is processed.
There are no existing statistics on the number of Filipino companies that would be covered by the Data Privacy Law, which also covers government agencies and corporations, local government units and state universities.
Mapa estimated that about a million private entities and individuals could be covered, including small businesses, schools and professionals.
Apart from the planned audit, the privacy commission would also rely on complaints from customers or employees, in case a private sector data breach occurred. The law slaps hefty penalties on violators, including imprisonment and steep monetary fines.
Risks associated with data privacy exposure were brought to the fore with the notorious hacking of the voter database of the Commission on Elections in March last year. —MIGUEL R. CAMUS