Expert Interview with Mr Dondi Mapa, Resource Expert
The Data Privacy Act is an aspirational piece of legislation. It describes a vision of how we would like to live in the future – of how we would like to live in the 21st century because these are challenging times. Our data is being used to manipulate our behavior and it is being done by companies and organizations that gather that data and use it to present us with arguments, with persuasions, with targeted messages that are meant to control and manipulate our behavior.
And of course that’s a future, that’s an environment where we would like to retain our sense of autonomy. We’d like to be able to exercise our free will. So in order to do so that means that we need to have control of over our personal data and we need to be able to decide who we trust with that data; we need to be able to control how that data is used and processed – and that is what the Data Privacy Act is about. It returns control of personal data to the data subject about whom that data was collected.
Key trends in data privacy and protection 5-10 years from now
In terms of trends and developments, we are really looking at three areas: technology, regulations, and cybercrime – I think these are the three things we need to pay attention to. When I say technology it is because there are a lot of advancements that are coming on stream including fields such as artificial intelligence, facial recognition, the use of blockchain, the collection of biometric data which in many cases even includes the processing of DNA.
When we look at the field of regulations, it is worthwhile to note that regulators are playing a catch-up game, but they are really striving to keep up with all of these advances in technology and of course all of the threats that come from bad actors i.e. cyber criminals. If we look at cybercrime itself, we can see that more and more criminals are beginning to see the value of data and how they can exploit these data. It’s only going to get harder. Technology will be developing at an ever increasing pace, regulators are going to keep playing that catch-up game, and bad actors are going to be out there to exploit and take advantage of those who failed to adequately protect the data that they have collected.
What can be done to future-proof one’s organization?
When it comes to compliance we need to be aware that there are two levels of compliance: paper compliance and operational compliance. So companies need to focus on paper compliance because it’s the policies, the procedures that describe what sort of data is being collected, how it’s being processed, and all of these documentation needs to be created, revised, updated, and it’s a lot of documentation so achieving paper compliance is actually not an easy step.
It includes looking at your privacy notices, looking at your data sharing agreements, your outsourcing arrangements, looking at your collection, disclosure, retention policies, and all of these requires a lot of work to be done and many companies have told me it’s quite difficult because people are also doing their jobs at the same time. They need to be able to deliver what is expected of them and yet come up with all of these revisions that are required. So that’s really the first challenge: it’s how to find the time to be able to operate your current business while creating the paper compliance that’s needed to comply with the Data Privacy Act.
The second challenge is once all of these documents, policies, procedures have been updated, how do you get employees to change their behavior to comply with the new policies, and the new procedures? This is what we call operational compliance and in order to achieve operational compliance, one needs to develop a culture of privacy where employees are aware that situations may arise where a principle on data privacy or data protection is called into play and they should know how to respond. Do they know what procedures they should then follow? Do they know who should they consult? Do they know how they should react when they see something and it’s quite possibly a breach and therefore they need to say something or to do something. So this is where the rubber meets the road. You need to be paper compliant as well as operationally compliant and that’s what it would mean to comply with the Data Privacy Act.
Advice for companies on their way to compliance with the DPA
For companies that are covered by the Data Privacy Act, it is recommended that they take a stance of accountability. As the NPC says, they have this acronym the call ACE – accountability, compliance, and ethics – and the key advice I would give is don’t just comply, be accountable. And even go beyond accountability. Be ethical. That means taking a stance where you need to be proactive, you need to look at everything that needs to be performed in order to uphold the rights of the data subjects. It means taking a look at the way you process and collect data and ask yourself, “are we doing the right thing?”, “are we acting in an ethical manner?”
And if there is one piece of advice I can give on how to start that journey correctly, it is to appoint a Data Protection Officer. Someone that can be a leader in guiding the company on its journey towards compliance and accountability. Someone who has the moral compass that can show the right way; the ethical way to comply with the Data Privacy Act.
How do companies view investing in data privacy and protection trainings?
When it comes to building a culture of privacy, it’s important to remember that everyone is responsible. It only takes one employee to have a slip-up; it only takes one person to commit a violation and the whole company will suffer the consequences. The consequences could include loss of trust, loss of reputation, the need to pay damages and indemnify data subjects whose rights are violated it can even go to the extent of criminal prosecution. So companies need to invest in orienting all their employees who handle personnel data and this could mean a simple one-hour orientation or a series of training interventions to make sure that their employees understand their obligations.
Should companies invest in data privacy and data protection trainings?
The key principle here is role-based training. Companies need to ask themselves what the roles of their employees are when it comes to collecting and processing personnel data. Frontline employees will need some kind of orientation as to what are the consequences of mishandling a data privacy issue. But company executives need to get additional training on what are the legal regulations that needs to be complied with; what are the strategic implications of being able to protect the data of their customers, their patients, their employees. In a data-driven economy, privacy has become the proxy for trust. That means that if you can show your customers that you protect their data, then they will trust you. If they trust you, then they’ll continue to do business with you. But if you fail to protect their data, then they’ll lose their trust. And once they lose their trust, they’ll take their business somewhere else – that needs to be comprehended at the C-level.
There also needs to be more intensive training for employees who will become compliance officers for privacy, Data Protection Officers or members of the breach response team. For employees that are handling these roles, in-depth training needs to be considered which would take the course of several days. This would even include certification. One way to discover if your company’s training is enough is to conduct a breach drill. A breach drill is similar to a fire drill or an earthquake drill and you can take a look at how your employees respond. Are they able to identify the breach, analyze it, and report to the authorities? And if they are not able to do that within the required response time which is 72 hours, then that means that you need to invest in additional training. That means you need to develop their capabilities so that they are able to comply with the obligations under the Data Privacy Act.
How the DPO training program was drafted/created, including its basis and references
In order to be a DPO one needs to have knowledge. One needs to have skills and competence. And one needs to have confidence. And so the training program revolves around those three pillars. When we say knowledge that means you have to know what compliance means. You have to know the implementation of rules and regulations, the circulars, the advisories, all the advisory opinions. A lot of that is something that you can download but you also need to understand the nuances – we move on to the next area which is how to develop the competencies and skills that’s needed and the training program does this through case studies.
There are many case studies that will be encountered during the training program where participants will be asked to analyze many different aspects in a particular situation. There are case studies on the role of a controller versus a processor. There are case studies on the rights of a data subject; there are case studies on proper policies and procedures which need to be written. There are case studies on what to do when a breach happens and how to respond. And finally, we have case studies on how to do Privacy Impact Assessments. So through the course of the program, DPOs can apply the knowledge that they gain in real life hands-on learning experiences. So that the focus is on really learning by doing and as a result of these exercises, a DPO gains confidence in knowing to handle the situations that arise when they go back to the real world.
The hallmark of the training program is the certification exam itself. At the end of the workshop, the participants go through a certification exam and we’ve seen that through the knowledge that they’ve gained, through the skills that they’ve developed through the cases and the hands-on exercises, they gain the confidence to be able to pass this certification exam.
What is the value in certification?
For one it means that you meet a benchmark and you’ve met a standard that tells the world that you’re promotable, you’re hirable. So from an employment standpoint, certification itself brings a certain value. You could also use it for promotions if you are looking for someone internally who would like to switch to a different career path or advance in their current career. A certification is a milestone that says they are ready for the next step.
For the general public, there is a value in certification because you know that the person who is handling your privacy concerns is someone that’s been trained. Someone that is knowledgeable, and someone that can actually empathize because they know how to be a Data Protection Officer. They know how it means to be accountable and ethical. And that’s what certification means.
There are many DPO workshops our there but I would like to invite you to the TÜV Rheinland Academy’s DPO Certification Workshop because being through this experience means that you get a badge of excellence and its actually listed in a website called Certipedia.com. If you go to that website you will see now that there are hundreds of Filipinos that have been through this experience. That means that they went through this program where they gained knowledge about the Data Privacy Act, ISO standards, and even the GDPR. They’ve developed competence and skills in handling a breach; in conducting a PIA; and in performing many of the tasks that DPOs are required to handle. And as a result of all of this, they now have the confidence that they can do their job as a DPO.