Gov’t, firms face probe on lax data security defenses
The National Privacy Commission (NPC) warned government agencies and private companies could face “compliance checks” for failing to meet the deadlines for the registration of their data processing systems.
According to NPC, a compliance check would involve interviews, operation inspections, documents analyses, and pertinent activities intended to appraise the organization’s culture of privacy.
The registration has two phases. The first involves the registration of Data Protection Officers (DPOs) who would serve as point persons for the privacy matters of the company or the government organization.
The deadline for the first phase, which was originally set on Sept. 9, a nonworking holiday, was moved to Sept. 11.
The second phase, which involves the registration of personal data processing systems, is up to March 8 of next year.
“Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act,” said Privacy Commissioner Raymund Enriquez Liboro.
Article continues after this advertisement“For one thing, in case an organization suffers a data breach in the future, its nonregistration would imply lack of due diligence, critical in defending against charges of negligence,” he added.
Article continues after this advertisementLiboro said the NPC would continue accepting registration papers even after the deadline, but warned these would be considered “late registrants.”
According to NPC, several conglomerates have already registered their DPOs with the NPC, among them were companies under the Ayala Group, SM Group as well as the Lucio Tan Group.
Not everyone is required to register. Under the implementing rules and regulations of the Data Privacy Act, only companies or government agencies that employ 250 workers or more are required to register. Those with fewer than 250 workers are required to register only if their “operations involve the processing of personal data that may likely pose a risk.”