Public and private companies that failed to beat the September 9 deadline for the registration of their data processing systems starting with the registration of their data protection officer will be subjected to compliance checks, the National Privacy Commission warned over the weekend.
“Failure to register may subject a company or an agency to compliance checks, compliance orders, and depending on attendant circumstances may be considered evidence of unauthorized processing, punishable under the Data Privacy Act,” said NPC chairman Raymund Enriquez Liboro.
Since September 9 fell on a Saturday, a non-working day, the deadline automatically moved to the next working day, or September 11, 2017.
“For one thing, in case an organization suffers a data breach in the future, its non-registration would imply lack of due diligence, critical in defending against charges of negligence,” he said.
The commission will continue accepting registration papers from controllers and processors even after the Monday deadline.
A compliance check by the commission is a comprehensive validation process based on 10 critical aspects of accountability, which the agency has termed as the data governance framework.
It involves interviews, operations inspection, documents analysis and pertinent activities intended to appraise the organization’s culture of privacy.
Several conglomerates have registered their data privacy officers with the commission, among them the Ayala Group, the SM Group of companies and Lucio Tan Group.
Philippine National Bank, one of the companies under the Lucio Tan Group, submitted its registration as early as May 2017, one of the first companies to comply with the designation and registration of a DPO.
Roland Oscuro, DPO of PNB, protection of personal data was essential in maintaining the trust of customers, as well as improving market position.
“Our long term goal is to develop a culture of privacy within our organization that we hope our employees can take home and share with their family and friends,” he said.