Imagine a typical Monday morning in your office. You have been appointed and have acted as your company’s Data Protection Officer (DPO) for the past two months. You are still in the early stages of understanding your role as the DPO and implementing your company’s data privacy compliance program. As you are going through dozens of unopened emails, you receive a frantic phone call from your colleague asking you to urgently check an email marked as “URGENT”. You realize that your company has just received a letter from the National Privacy Commission (NPC) regarding a Compliance Check that the NPC will be conducting within the
next couple of days.
Several DPOs would find the foregoing scenario rather familiar, as the NPC has recently concluded its fourth round of briefings on the conduct of NPC’s Compliance Check. DPOs and other representatives from personal information controllers (PICs) across sectors and industries attended the Compliance Check Briefing.
Under Section 7 (a) of the Data Privacy Act of 2012 (DPA), the NPC has the mandate to “ensure compliance of personal information controllers with the provisions of this Act.” During the October 17, 2017 briefing, the NPC’s Compliance and Monitoring Division (CMD) explained that the session was intended to educate the PICs on the purpose of the Compliance Check, and how the NPC would manage the entire process. The CMD likewise emphasized that the NPC and the PICs are partners in promoting the culture of privacy in the Philippines, and as such, the Compliance Checks are primarily intended to assist PICs in their data privacy compliance program.
What to Expect?
Usually, a team of four to six staff will handle the Compliance Check Visit. The process begins with a documentary review of the PIC’s data privacy compliance vis-a- vis the NPC’s 32-point Data Privacy Accountability and Compliance Checklist (Checklist). A copy of the Checklist can be downloaded here. During this stage, the PIC is expected to provide the CMD team with a data room containing the PIC’s documents sorted and labeled from “1” to “32”, with each number corresponding to an item on the Checklist.
After reviewing the documentation, the CMD conducts a validation exercise to verify if the policies and protocols are actually being implemented and cascaded down to the PIC’s rank and file employees. As part of the validation exercise, the CMD may interview the PIC’s management and staff. In other words, paper compliance is not the objective. CMD Chief Dr. Rolando Lansigan clarified, “
[w]
hat we are looking for is whether, throughout the organization, the NPC’s Data Privacy Accountability and Compliance Checklist was effectively communicated, fully deployed, and easily accessible, especially to new data subjects.”
Based on the information gathered by the CMD, the NPC will furnish the PIC with a Compliance Order highlighting the PIC’s strengths, as well as the CMD’s observations and NPC’s directives to address the PIC’s non-compliance issues identified during the Compliance Check Visit. Within a given period, the PIC will have to submit to the NPC a Compliance Report explaining what remediation measures have been undertaken to address the non-compliance issues noted by the CMD. If the PIC fails to address the non-compliance issues to the satisfaction of the NPC, the latter may resort to investigation, enforcement, or even an issuance of a cease and desist order, as may be warranted under the circumstances.
Finally, it was clarified during the briefing that the March 2018 deadline covers only the registration of the PIC’s processing systems. The CMD explained that even before the said registration deadline, the PICs are expected to have started compliance with the requirements of the Data Privacy Act, its implementing rules and regulations, and NPC’s issuances.
How to Handle the Compliance Check?
Attend the briefing. The NPC’s briefing is a good opportunity for the PICs to get clarifications from the NPC before the actual Compliance Check Visit is commenced. Attending the briefing also sends a message to the NPC that your company is serious about compliance, and is willing to cooperate with the NPC to strengthen your data privacy compliance program. Chances are, it will not be a one-one-one session between the CMD and your company but a general briefing attended by other PICs.
Ensure management support. Collating the documents relevant to the Checklist can be a painstaking and time-consuming undertaking given that for most PICs, the data privacy compliance program is still an ongoing activity. It is possible that the pertinent files may come from different departments and units within the organization. Given the tight timeline, management support will be needed to get your colleagues to assist in the Compliance Check Visit.
Organize the files. In any activity that involves an audit or a due diligence review, nothing is more frustrating to a reviewer than having to go through piles of unmarked documents. Sorting the files according to the Checklist and labelling them properly makes it easier for the NPC to ask questions and for the PIC to respond intelligently.
Begin with the Compliance Report in mind. As the DPO, you more or less have an idea about the outcome of the Compliance Check Visit even before it actually begins. Go through the Checklist, identify your company’s weaknesses, and start working on the remediation measures at the soonest possible time. By the time you receive the CMD’s observations, you only need to implement (or has already started to implement) your remediation measures that will feed into your Compliance Report.
Culture of Privacy
The Compliance Check is part of NPC’s efforts to cultivate a culture of privacy in the Philippines. As Dr. Lansigan explained, “
[c]
ompliance to the Data Privacy Act is not a one-shot initiative. It is a discipline and culture that must be embedded on a continuous basis within the organization.”
Understandably, the Compliance Check Visit can be an intimidating prospect for any PIC and its DPO. The NPC’s initiative of reaching out and educating the PICs about the process is a commendable gesture towards achieving a cooperative relationship between the regulator and the PICs. It would be very helpful if the NPC would use the Compliance Check as a tool to identify best practices and subsequently share those models with other PICs. Certainly, most if not all of the PICs are still building their capacity and data privacy compliance program at this time. Thus, any support that the PICs can get during this learning stage is very much welcome, most especially if the support comes from the NPC.
