EXCLUSIVE: A real life GDPR case study in the Philippines

GDPR is almost here, and most companies are not ready and have no idea what it’s going to take to keep them out of trouble and not pay thousands in fines.

It could be because they haven’t seen the real-life consequence of what could happen if they break GDPR rules.

The good thing is there’s actually a real-life case study of GDPR happening at a local level in the Philippines, and it has actually sent people to jail. Based on the Data Privacy Act of 2012, any business that is located in the Philippines is subject to stringent data protection laws that could cost offending businesses thousands in fines and jail time up to 6 years.

Keen to find out more, Information Age interviewed Julie Shafiki, chief marketing officer at Safe-T, a leading provider of software-defined access solutions for the hybrid cloud that has customers in the Philippines who have been grappling with PDPA.

>See also: GDPR vs Australian data privacy regulations: 5 key differences

Safe-T is using it as a case study to help their other customers around the world get ready for GDPR and Shafiki talks with us about the parallels, differences and lessons to be learned from PDPA.

1) Based on your experience in the Philippines, what are the consequences of breaking data protection laws?

Unlike GDPR, the DPA doesn’t just instill fines (which can of course be significant); perpetrators can actually be imprisoned for up to six years. Therefore, it’s crucial for business leaders to understand the implications and prepare accordingly in order to stay compliant and minimize risk.

2) How similar is the law over there to the impending GDPR? Is it stricter etc?

Here are a few ways that data must be collected and protected under the DPA. You must:

• Have the consent of individuals in order to collect their data.

• Have a legitimate reason to collect and store data.

>See also: The true cost of the General Data Protection Regulation

• Not collect more data than the scope of your legitimate reason would allow.

Additionally, people whose data has been collected have the right to know what’s being stored, the right to access their stored data, the right to remove or edit the data, and the right to sue for damages in the event that their rights are infringed.

The DPA specifies that all data breaches affecting Philippine customer data must be reported within 72 hours. This is an internationally-enforceable provision and ff an entity is covered under both the GDPR and the DPA, all data breaches still have the 72-hour limit, even if the only data that’s been breached is EU-related.

3) Why is it important for more stringent data protection laws?

This is important for several reasons:

• To align all businesses so that data is protected equally across all applications and industries.

>See also: What is the impact of the changing data protection landscape?

• Regulation and compliance standards encourages companies to better invest in security – to protect themselves and their customers.

• It protects everyday people’s data from getting into the hands of unauthorized users

4) How can businesses benefit from regulation like GDPR?

Businesses will benefit from GDPR by having enormous incentives to invest in security layers to protect their sensitive data. Unless you take earnest, good-faith steps to protect yourself from cyber attacks, your company will be fair game for regulators. Companies must build proper strategies and adhere to healthy business processes in order to avoid hefty fines.

The GDPR can be frightening to small and mid sized business in particular, as many might not survive their first contact with its fee structure. Reinforcement with GDPR-compliant solutions will greatly increase a businesses’ peace of mind.

>See also: The multinational impact of GDPR

5) Should the c-suite be culpable for compliance failures, and what should punishment look like?

The trend now is to hire a data protection officer whose main responsibilities include overseeing data privacy, ensuring compliance and managing data protection risk for the organisation. This executive should have expertise in data protection law, best practices and a complete understanding of the company’s IT infrastructure, technology, and technical and organisational structure.

Executives hold more responsibility for serious failures, and compliance will follow this path. This role comes with significant responsibilities, as the future of the company could be in the balance if a breach occurs. It remains to be seen, however, if the DPO will personally bear the brunt of heavy fines.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...