GDPR/DPA: Tools to become compliant



The European Union General Data Protection Regulation is a comprehensive set of rules designed to keep the personal data of all EU citizens collected by any organization, enterprise or business safe from unauthorized access or use. The GDPR went into effect on May 25, and the provisions in the law will greatly affect the manner in which every business transaction involving European Union citizens is conducted from that point forward.

Provisions in the GDPR grant the EU the authority to enforce the regulations across international borders. That means a small 20-person company in Texas that collects personal data from a customer residing in Paris in order to sell and ship a cowboy hat will be subject to the security provisions of the GDPR—and, more important, will be liable for any penalties imposed for not following those provisions.

There are no exemptions for size, scope, location or first offenses. Fail to meet the provisions of GDPR and you will incur penalties.Organizations that ignore the GDPR are opening themselves up to uncertain liability, substantial risk and potential financial hardship. The gravity of the GDPR would suggest a prudent course of action is required, including establishing procedures, protocols and policies that address and meet the requirements of the law. This EU General Data Protection Regulation  Policy will give you a head start on building guidelines that fit your company’s circumstances.

The Data Privacy Act (DPA) of the Philippines, which is enforced by the National Privacy Commission (NPC), is equally comprehensive, designed to keep the personal data of Filipinos collected by various organizations and business safe from unauthorized access or use.

As part of its commitment to increasing understanding in Philippine-European relations, European Innovation, Technology, and Science Center Foundation (EITSC) commissioned Mr. Dondi Mapa to author a paper which compares the provisions of the GDPR and the DPA and highlights the areas where both are aligned and where there are differences.

Damian “Dondi” Mapa is an expert in information and communications technology and public policy. In 2004 he was appointed to the Commission on ICT by President Gloria Macapagal-Arroyo. In 2016  he was appointed to the National Privacy Commission, (NPC) by President Benigno S. Aquino III. He is a co-author and signatory of the implementing rules and regulations of the Data Privacy Act of 2012, as well as various NPC circulars and advisories. He is also a past member of EITSC’s Board of Trustees.
In his “White Paper,” Dondi states that “it should not come as a surprise that the Data Privacy Act  is closely patterned after the European Union’s General Data Protection Regulations. In fact, I would assert that any Philippine company that is fully compliant with the DPA and related issuances is over 90 percent compliant with the GDPR. A corollary to this would be that Filipino data protection officers  would naturally be highly proficient in performing GDPR-compliance roles.”

To prove this assertion, I have compiled a point-by-point comparison in the sections below. Please note that my thesis is not that the DPA is the Philippine version of the GDPR, but rather that the DPA is a Philippine implementation of the GDPR—in alignment with Recital 8 of the GDPR: “States may, as far as necessary for coherence and for making the national provisions comprehensible to persons to whom they apply, incorporate elements of this Regulation into their national law.”
This White Paper can be reviewed on the web site of EITSC— www.eitsc.com —under Announcements/News.
Allow me to add that EITSC is offering an online Data Protection Management System (DPMS) which is capable to identify your compliance or noncompliance with both laws.

     

Comments