Philippines Data Privacy Act

What is the Data privacy Act?

During the last decade, the Philippines has experienced an unprecedented growth in IT, digital economy as well as social media participation which influenced the government’s decision to protect the privacy of individuals and ensure the free flow of information.

The Data Privacy Act was approved in 2012 and provides a framework for regulating the processing and storage of particularly personal and sensitive data, given the new ways of information exchange that have opened up and continue to open up in this era.

The law has an extra-territorial jurisdiction where businesses that are based in, carry out business in or process sensitive data collected or held by an entity in the Philippines are subject to the regulation.

Organizations from the banking, retail, IT sectors that have branches, or that use equipment located in the Philippines are required to comply with the legislation and protect their customers’ sensitive information. The Filipino regulatory has the right to fine entities who do not respect the regulation up to $79,000 depending on the type of infraction. Criminals also risk up to 6 years of imprisonment.

 

Requirements

Right to Access:

Any entity possessing any personal information must provide the data subject with a description of such data in its possession, as well as the purposes for which they are to be or are being processed. Furthermore, other details regarding the processing of the data may be obtained, such as the period for which the data will be stored, and the recipients to whom the data may be disclosed.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

 

Right to Deletion/Suspension of Processing

Data subjects can suspend, withdraw or order the blocking, removal, of their personal information from the data controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.

How SecuPi Helps:

On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.

 

Right to be Informed:

Collection and processing of information without the data subject’s knowledge and explicit consent is made unlawful, and entities possessing personal information are obligated to inform data subjects of any breaches or compromises in their data. Data subjects have the right to know when their personal information shall be, are being, or have been processed.

How SecuPi Helps:

To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request). Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.

 

Records of Processing:

Entities must maintain records that explicitly describe their data processing system and identify the duties and responsibilities of those individuals who will have access to data subject’s personal information.

How Secupi Helps:

SecuPi’s audit logs are clear and factual and can show which processor accessed which data, as well as providing full transcript of the processing activities done through the application. Since the SecuPi agent is deployed on the application server, it has access to all relevant information, including which user was used to process the information, timestamp, URI, etc. SecuPi enables to map data-flows and provides the ability to granularly audit and control it to maintain access on a “need to know basis” and use data in line with its purpose.

 

Breach Notification:

The data controller is required to notify the National Privacy Commission as well as the affected data subjects when it has reasonable belief that sensitive personal information or other information has been acquired by an unauthorized person, and that:

  1. Such personal information may, under the circumstances, be used to enable identity fraud
  2. The data controller or the National Privacy Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

How SecuPi Helps:

In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).

Want to see our product in action? Join us for a Demo!
Contact Us
Schedule a demo
Apply for this Job

    Or send your resume at text@secupi.com
    Thank for you applying
    We will be in touch shortly.