NPC issues data breach warning

NPC issues data breach warning

The National Privacy Commission (NPC) on Monday issued a stern warning to companies handling sensitive data of customers and employees: Register with the NPC or face sanctions.

In a video statement, Atty. Aubin Arn Nieva, director of the NPC Data Security and Compliance Office, emphasized the importance of compliance with data privacy regulations.

Nieva stressed that non-compliance with registration requirements could result in substantial fines, potentially up to P5 million.

“We call upon all business owners processing the personal data of clients, customers, and employees to register with the NPC. If your business has 250 or more employees, 1,000 or more customers, or collects personal data that pose a risk to the rights or freedoms of data subjects, you are required to register with the NPC,” Nieva said.

Last week, the NPC confirmed that Robinsons Land, Japanese carmaker Toyota, and the Philippine National Police were the latest victims of data breaches. The incidents highlighted the critical importance of stringent data protection measures, it said.

“Even if your business does not meet these thresholds, you must submit a declaration for exemption. Non-compliance will result in corresponding sanctions and penalties,” Nieva said.

The NPC also encouraged the public to report to any businesses collecting personal data without the NPC’s seal of registration.

Atty. Rainier Anthony Milanes, head of the NPC’s Compliance and Monitoring Division, noted in an advisory that the commission has received numerous data breach notifications from various personal information controllers.

Telecommunication companies have also earned the ire of some of their customers who lamented that the SIM Card Registration Law seemed to have failed in stopping scams from being perpetrated on smartphone users.

Many telco customers have gone on social media to air their suspicions that their data that was collected by the telcos, in compliance with the SIM registration, had also been compromised.

In a recent interview on DAILY TRIBUNE’s digital show Usapang OFW, Department of Information and Communications Technology Assistant Secretary for Legal Affairs Renato Paraiso urged smartphone users who were victimized by scammers to file complaints with the National Telecommunications Commission.

Paraiso said they are looking at reports of possible breaches of customers’ data held by telcos, which may be held responsible by the NTC as a regulatory arm of the DICT.

The NPC, meanwhile, said it has been proactive in dealing with registration non-compliance. Last month, 47 physical stores in a mall by Manila Bay received show cause orders for failing to register, particularly businesses engaged in membership schemes such as fitness centers, travel agencies, and some restaurants.

Currently, over 7,000 stores and establishments are registered with the NPC and inspections are ongoing, it said. Businesses that fail to respond adequately to show cause orders or that give unacceptable reasons for non-registration will face sanctions, the NPC warned.

In April 2024, the NPC introduced guidelines for issuing Philippine Privacy Mark (PPM) certificates to both public and private organizations and companies that collect and manage personal data of Filipinos.

NPC Circular 2023-05 outlines the prerequisites for organizations and certification bodies participating in the PPM Certification Program.

The circular, which took effect on 15 March 2023, establishes the requirements for the certification of personal information controllers or processors and the accreditation of certification bodies under the PPM program.

NPC Circular 2023-06 focuses on the security of personal data in both the government and private sectors.

The PPM Certification Program aims to assess public and private organizations to ensure they implement secure and protected processing of personal information in their data privacy and protection management systems.

The NPC maintained that it continues to enforce these regulations rigorously to safeguard personal data and uphold the rights of data subjects. With ongoing inspections and compliance checks, the commission said it aims to enhance the overall data protection landscape in the Philippines.

Daily Tribune