Dear Atty. Peachy,
I run a small but growing online retail business here in the Philippines, and with the increasing number of reported data breaches, I find myself increasingly worried about the safety of my customers’ personal information.
I have heard a lot about the Data Privacy Act of 2012 but find the details a bit overwhelming. What are my responsibilities as a business owner to ensure compliance? More importantly, what are the potential repercussions if I fail to protect my customers’ data? Any guidance would be greatly appreciated.
Pearl
□□□□□
Dear Pearl,
It’s commendable that you’re taking data privacy seriously. In our digital age, safeguarding personal information is paramount, not only for compliance but also for maintaining the trust of your customers.
The Data Privacy Act of 2012 (Republic Act 10173) serves as a comprehensive framework for the protection of personal data in the Philippines. Your key responsibilities under the Data Privacy Act are, as follows:
1. Data Collection and Processing: You must ensure that any personal data you collect is done lawfully and with the consent of the individual. This means customers should be fully informed about the purpose of the data collection and how their data will be used.
2. Data Protection: As a business owner, you are required to implement reasonable and appropriate security measures to protect personal data against unauthorized access, destruction, or alteration. This includes employing technical, administrative and physical safeguards.
3. Transparency: You must inform customers about their rights concerning their data, which includes the right to access, rectification, cancellation, and opposition. A clear privacy policy on your website will help establish transparency.
4. Data Breach Notification: In the event of a data breach, you must notify the National Privacy Commission (NPC) within 72 hours and inform affected individuals, especially if there is a likelihood of risk to their rights and freedoms.
5. Regular Training: Ensure that your employees are trained on the importance of data privacy and the procedures in place to protect customer data.
Failure to comply with the Data Privacy Act can have serious consequences. The penalties for violations include fines and imprisonment.
To ensure that your business complies with the Data Privacy Act and protects your customers’ data, start with a data privacy impact assessment to identify risks and areas for improvement. Additionally, enlist the help of a data protection officer if needed, especially as your business grows. In an increasingly data-driven world, taking these steps will not only help you comply with the law but also foster a strong sense of trust with your customers.
Take care and stay vigilant.
Atty. Peachy Selda-Gregorio