Philippine companies need to take global data protection regulations more seriously — or risk being left behind.
This was the message of DivinaLaw Partner Atty. Jay-r C. Ipac during the 6th Data Privacy and Cybersecurity Professionals Summit held in Pasay City from 27 to 28 March 2025.
Addressing a room of privacy and security professionals, Ipac emphasized the growing importance of cross-border data compliance, particularly for businesses dealing with EU citizens or operating in multiple jurisdictions.
He explained that under the European Union’s General Data Protection Regulation (GDPR), the Philippines must either receive an “adequacy decision” — a declaration that its privacy framework meets EU standards — or ensure that proper safeguards are in place for data transfers.
“If you do not meet the adequacy decision of the GDPR,” said Ipac, “the controller or processor to whom you are sharing personal information must have provided appropriate safeguards, such as the EU’s standard contractual clauses.”
He added that within the ASEAN region, businesses should instead look to the ASEAN Model Contractual Clauses (MCCs) to regulate inter-country data transfers — though they don’t override the requirements of the GDPR if it applies directly.
Beyond legal frameworks, Ipac urged attendees to prioritize due diligence. “The key takeaway from international cases is this: It’s not enough to draft a good privacy policy. You need to ensure that it’s backed by actual practices that meet both legal and factual scrutiny,” he said.
Ipac is a member of the International Association of Privacy Professionals and a key member of DivinaLaw’s Data Privacy team.