How to Make Your Business Data Privacy Compliant

The Constitutional Right to Privacy and Data Privacy

The Right to Privacy

The right to be let alone. That is another way of describing the right to privacy. 

As a business owner or service provider, do you make your customers feel let alone? Do you respect your customers’ right to privacy? If you obtained your customer’s personal information, can you do anything you want with it? How are you protecting your customers’ data privacy? What are the steps you take to comply with the Data Privacy Act?

Sometimes, collecting, using, and storing your customers’ personal information is part of your business. A membership or subscription-based business is an example. 

At other times, your business may collect your customers’ personal information to personalize or customize your products. You then use this information to learn more about their buying behavior so that you can provide better products and services. 

Under the 1987 Constitution of the Philippines, every person – meaning your customers – has the right to be secure in their persons, houses, papers, and effects,1 as well as the right to the privacy of their communication and correspondence.2

The right to privacy is “the right to be free from unwarranted exploitation of one’s person or from intrusion into one’s private activities in such a way as to cause humiliation to a person’s ordinary sensibilities.”3 It is the right of an individual “to be free from unwarranted publicity, or to live without unwarranted interference by the public in matters in which the public is not necessarily concerned.”4

What this all means is that your customers have the right to determine what personal information they want to share. They have the right to determine what, how much, to whom, and when information about them shall be disclosed.5 In fact, one aspect of privacy is the withholding or concealment of information.6

Personal data can be likened to personal property like a house, a car, or a piece of jewelry. No one has the right to use the property without the owner’s consent. In addition, the owner has the right to dictate how the property will be used.

So, how do you collect, use, and store your customers’ personal information?

Data Privacy

To balance the fundamental right to privacy and the vital role of information and communications technology in nation-building, the government enacted the Data Privacy Act of 2012 7  to ensure that personal information processed by the government and the private sector is secured and protected.

As a business owner or service provider, you need to take note of the following terms used in the law:

• Data subject. The data subject is an individual whose personal information is processed.8

For now, let us focus on your customers as the data subject. But, it also includes your shareholders, partners, investors, suppliers, and employees.

• Personal information. Personal information is any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information, would directly and certainly identify an individual.9

Therefore, personal information consists of all the personal data you collect that can identify your customers.

• Processing. Processing refers to any operation or any set of operations performed upon personal information. Processing includes:
  • Collection
  • Recording
  • Organization
  • Storage
  • Updating or modification
  • Retrieval
  • Consultation
  • Use
  • Consolidation
  • Blocking
  • Erasure
  • Destruction

In other words, whatever you do with your customer’s personal information is considered processing of personal information.

• Personal information controller. A personal information controller is a person or organization who controls the collection, holding, processing, or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.10

This is you as the business owner.

• Personal information processor. A personal information process is any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.11

If you decide to outsource the activity to another company instead of processing your customers’ personal information yourself, the third-party provider is called the personal information processor. You must remember, however, that even if you have outsourced the processing of your customer’s personal information, you are still “responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements” of the Data Privacy Act.12

So, let us go back to our question earlier. As a business owner, how do you go about collecting, using, and storing your customers’ personal information?

Processing Your Customers’ Personal Information

In general, the law allows business owners to process their customers’ personal information for as long as they comply with the requirements of the law and adheres to data privacy principles.13

On the other hand, the processing of sensitive personal information and privileged information is generally prohibited and allowed only in certain limited cases.14

Criteria for lawful processing of personal information

Business owners are permitted to process their customers’ personal information for as long as it is not otherwise prohibited by law. However, the Data Privacy Act requires the existence of at least one of the following conditions:15

• Consent of your customers. As stated earlier, your customers’ personal information is like private property. Hence, if you need to get your customers’ personal information, you must get their permission. Your customers should have given their consent before collecting their personal information. If you forgot to get your customers’ consent before the collection, it should be obtained as soon as practicable and reasonable.16

You are, however, required to declare and specify the purpose for which you collect your customers’ personal information. Otherwise, the customers might not know what they are consenting to or might object later on that they were misled into giving their consent. In addition, you must remember that consent that was initially given can be withdrawn.17 It is their property.

• Necessary to the fulfillment of your contractual obligation to your customers. In executing a contract, it is necessary to obtain the personal information of your customers. For example, you will need their name, their address, sometimes their tax identification number, and a copy of their valid ID for notarization purposes. Sometimes, you will even obtain their contact numbers to contact them regarding the status of their order or the delivery of your products.
• Compliance with your business’ legal obligations. As a business owner, you are required to comply with specific government regulations. Let us say, for example, that you are required to withhold taxes for a particular transaction. Therefore, you must collect your customer’s personal information to execute the withholding tax return.
• Protection of the vital interests of your customers, including their life and health. In the healthcare business, you will need to collect your customers’ personal information to give the proper treatment.
• Necessary to respond to national emergencies or to comply with the requirements of public order and safety. Businesses experienced this at the height of the COVID-19 pandemic. The national government required essential businesses that were allowed to open to collect their customers’ personal information for contact tracing purposes.
• Necessary for the fulfillment of the constitutional or statutory mandate of a public authority. This provision refers to government agencies and local government units.
• Necessary to pursue the legitimate interests of the personal information controller or personal information processor. This provision is a catch-all phrase in case there are instances in which the law has not been mentioned but may be covered.

What steps should you take to comply with the Data Privacy Act?

You must comply with specific requirements if you are a business owner who needs to process your customers’ personal information. If you violate the law or fail to comply with the requirements, you may be imprisoned from as low as one year to as high as seven years, or fined from as low as Php100,000 to as high as Php5,000,000, depending on the violation. 

The law requires the registration of personal data processing systems operating in the country that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies.18

It also requires the notification of automated processing operations where the processing becomes the sole basis for making decisions that would significantly affect the data subject.19

In addition to registration and notification, you will need to submit a report of the summary of documented security incidents and personal data breaches yearly.20

Other than these, you must adhere to certain principles, respect your customers’ data privacy rights, and implement specific security measures to secure and protect your customers’ personal information.

Adherence to data privacy principles

In processing your customers’ personal information, you must keep the principles of transparency, legitimate purpose, and proportionality in mind.

1. Transparency. Your customers should be aware of the nature, purpose, and extent of processing their personal information. You should inform them of the risks involved, their data privacy rights, and how these can be exercised.21 This information should be made in clear and plain language to ensure that they are easy to understand and access.22

2. Legitimate purpose. Your customers must be made aware of the specific purpose for which their personal information is being processed. The purpose should be legitimate, moral, or in accordance with public policy.23 Some of the purposes named in the law are direct marketing purposes, profiling purposes, and automated processing purposes.24

3. Proportionality. You should only obtain personal data that is adequate, relevant, suitable, necessary, and compatible with your declared, specified, and legitimate purpose.25

Respecting your customer’s data privacy rights

When processing their personal information, you must be mindful of your customers’ data privacy rights. You need to ensure that their data privacy rights are secured and protected.

• The right to be informed. As earlier stated, your customers should be aware that their personal information will be processed, and they should be informed of the nature, purpose, and extent of personal data that you will be processing.26
• The right to access. Your customers have the right to obtain from you a copy of any information relating to them that you may have on your computer database or manual filing system. If requested, you should provide this information in an easy-to-access format, accompanied by a full explanation executed in plain language.27
• The right to object. You cannot process your customers’ personal information if they do not consent. If they initially give their consent, they can also withdraw it anytime. However, suppose the processing of their personal information is required according to a subpoena, for obvious purposes like for a contract, or as a result of a legal obligation. In that case, you must process your customers’ personal information even if they object. But as always, you must inform them why you need to process their personal information even if they object.
• The right to erasure or blocking. Your customers have the right to suspend, withdraw or order the blocking, removal, or destruction of their personal data from your computer database or manual filing system.28 Their personal data is their property. Therefore, they may dispose of it in whatever manner they deem appropriate.
• The right to damages. Your customers may ask for indemnity for any damages they may have sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data.29
• The right to rectification. Your customers may ask to correct inaccurate or erroneous information in their personal data. You are required to update the inaccuracy or error immediately unless you can show that the request is vexatious or unreasonable.30
• The right to data portability. Your customers have the right to obtain from you a copy of their personal data in an electronic or structured format that is commonly used and electronically move, copy, or securely transfer their data for further use.31

Implementation of security measures

The data privacy principles and the security and protection of your customers’ data privacy can only be ensured if your business has the proper infrastructure and systems in place. The law requires the implementation of the following measures to ensure compliance with the law:

• Appointment of a Data Protection Officer. The law requires the appointment of a data protection officer if you are involved in processing personal data. He is primarily responsible for protecting your customers’ personal data collection and processing. You may, however, outsource the DPO functions.32
• Conducting a Privacy Impact Assessment. The NPC recommended the conduct of a privacy impact assessment as part of an organization’s security incident management policy to prevent or minimize the occurrence of a personal data breach.33 The objective of the assessment is to identify attendant risks in the processing of personal data.34
• Creation of a Privacy Management Program and Privacy Manual. The Privacy Management Program is intended as “an easier way to explain to the management and staff: why are we doing this, what are the results we expect, what are the benefits of those results, and what do we need to do to get them.”35 The creation of the PMP results in the creation of the Privacy Manual which serves as a guide or handbook for ensuring your business’ compliance with the data privacy law, and rules and regulations.36
• Implementation of privacy and data protection measures. Of course, developing a program and drafting a manual is not enough. You must ensure that the program and what you wrote in the manual are being observed and implemented. This is why it is crucial that you appoint a DPO to oversee the implementation of privacy and data protection measures.
• Breach Reporting. You are required to notify the NPC and your customers if there is a personal data breach requiring notification.37 The notice must be made within 72 hours upon knowledge of, or when there is a reasonable belief that, there has been a personal data breach.

You are required to make the notification if:

○ There is a breach of sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud;

○ The data is reasonably believed to have been acquired by an unauthorized person; and

○ Either the personal information controller or the NPC believes that the data breach will likely give rise to a real risk of serious harm to the affected data subject.

How can FBRT help your business become data privacy compliant?

As you can see, there are many things that you need to be mindful of, take into consideration, and implement so that your business can become data privacy compliant. There are programs you need to come up with, manuals you need to write, and measures you need to implement.

FBRT’s Privacy team has the expertise and competence to guide you in navigating your compliance journey in complying with the DPA and the NPC’s rules and regulations. Our team has certified data privacy officers. In fact, one of our Founding and Senior Partners, Atty. Jasmin R. Fiel Samson, obtained her certification as a Data Privacy Officer (DPO) from Enderun Extension of Enderun Colleges Inc.

More specifically, our team can provide you with the following services:

• Assist you in your compliance with the Data Privacy Act (DPA), and the issuances and advisories of the National Privacy Commission (NPC);
• Assist you in conducting a Privacy Impact Assessment;
• Assist you in crafting privacy management programs, drafting appropriate privacy policies and notices, and codifying the same into privacy manuals;
• Assist you in the preparation of data breach management procedures and protocols;
• Review your compliance with data-sharing agreements, outsourcing arrangements, and other relevant contracts; and
• Facilitate your registration with the NPC.

Now is always the best time for your business to be data privacy compliant. FBRT would love to hear from you about how it can help your business through our Privacy team.

Speak to our certified data privacy officers today.

Message Us

Name *

Email *

Your Message: *

Send Message

Related Reads:

• FBRT is ready to assist you in your Data Privacy Compliance Journey
• How to Protect Your Personal Data in a Work-from-Home Arrangement
• Intellectual Property Rights: What It Is and Why You Need to Protect It

Sources:

• Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012
• Implementing Rules and Regulations of the Data Privacy Act of 2012
• privacy.gov.ph – the official website of the National Privacy Commission
• Fernando, Emmanuel, The Right to Privacy in Philippine Jurisprudence (August 30, 2018). Australian Journal of Asian Law, 2018, Vol 19 No 1, Article 4: 67-84, Available at SSRN: https://ssrn.com/abstract=3241072
• NPC Circulars and Advisories
• NPC Privacy Toolkit, 3rd Edition (2018)

Endnotes

1. Section 2, Article III.
2. Section 3, Article III.
3. Spouses Hing vs. Choachuy, G.R. No.179736, June 26, 2013.
4. id. 
5. Fernando, Emmanuel, The Right to Privacy in Philippine Jurisprudence (August 30, 2018). Australian Journal of Asian Law, 2018, Vol 19 No 1, Article 4: 67-84, Available at SSRN: https://ssrn.com/abstract=3241072
6. id. 
7. Republic Act No. 10173, which was approved on August 15, 2012.
8. Section 3 (c), id.
9. Section 3 (g), id.
10. Section 3 (h), id.
11. Section 3 (i), id.
12. Section 14, id.
13. Section 11, id.
14. Section 13, id.
15. Section 12, id.
16. Section 21 (a), Implementing Rules and Regulations of the Data Privacy Act of 2012.
17. Section 19 (a), id.
18. Section 46 (a), id.
19. Section 46 (b), id.
20. Section 46 (c), id.
21. Section 18 (a), id.
22. Section 19 (b)(2), id.
23. Section 18 (b), id.
24. Supra note 24.
25. Section 18 (c) and 19 (a)(4), id.
26. https://www.privacy.gov.ph/know-your-rights/
27. id.
28. Section 34 (e), Implementing Rules and Regulations of the Data Privacy Act of 2012.
29. Section 34 (f), id.
30. Section 34 (d), id.
31. Supra note 26 in relation to Section 36 of the Implementing Rules and Regulations of the Data Privacy Act of 2012.
32. https://www.privacy.gov.ph/appointing-a-data-protection-officer/
33. NPC Circular 2016-03.
34. Section 6, id.
35. NPC Privacy Toolkit, 3rd Edition (2018).
36. id.
37. Section 38, Implementing Rules and Regulations of the Data Privacy Act of 2012.

admin