#92

As a privacy lawyer working for a big corporation, I have always wondered how small to medium sized enterprises (SMEs) handle data privacy compliance. These SMEs usually lack the resources to hire privacy consultants and thus have to Google-fu their way to compliance.

Unlike American regulations where there is a threshold for businesses to be covered by the law, the Data Privacy Act (DPA) of the Philippines covers all entities processing personal data, down to solo entrepreneurs and individual professionals. Although recently the regulator, the National Privacy Commission (NPC), have been doing seminars and privacy sweeps during its visits to malls and other public places, I believe it is the responsibility of privacy professionals to do their part, help NPC, and share what they know, especially to laymen.

It's easy to get lost in the weeds when it comes to privacy, so I want to help out and present the law in basic terms. Though topics are made plain, there is still a lot to tackle so I will have to divide this guide into two parts.

First, the business owner needs to assess what personal data they currently have. Simplified, personal data is any information that identifies a natural person (like, you know, a human). Take note that employees are natural persons too, so their data are also considered as personal data. Let's say you are a kiosk selling baked goods in a mall. It's possible that your personal data may consist of:

1. Name of business owner
2. Business documents containing the name of the business owner
3. Name of employees
4. Contact details of your employees
5. Employment contracts with the names and signatures of your employees
6. Resumes of your employees
7. Name of your customers
8. ID card details of your customers who are PWD/Seniors
9. If you are doing cashless transactions, mobile numbers of your customers
10. Name of your mall liaison
11. Contact number of your mall liaison
12. Name of your "sugar" and "flour" guy
13. Contact number of your "sugar" and "flour" guy

Now that you have a list of personal data your business is handling, it's time to assess if you really need to store some of these data. For example, why do you need to keep the resumes of your employees if they already got the job? Maybe it's time to record what you just need (like name, address and mobile number) and dispose the rest of the document. Another example, if after cross checking that their payments already came through, why do you need to keep mobile numbers of customers who paid using cash apps? Again, assess what you need and dispose of the rest.

Second, as an SME, you are not generally required to comply with registration requirements set by the NPC. For the sake of simplifying the discussion, I will assume you [1] are not employing more than 250 employees; [2] do not process sensitive personal information (these are special categories of personal data that the government mandates more protection of, and common culprits are age, marital status, or government ID numbers) of a thousand or more persons; [3] do not process personal information regularly; and [4] are not doing any risky thing that may endanger the personal data of your customers or employees. If you do, I assume you are a fairly big operation and have the budget to hire a real privacy consultant.

Anyway, even if you are not required to comply with the documentation requirements, you still need to register the fact that you don't, so you need to fill out and sign a "Sworn Declaration and Undertaking for Exemption from Processing of Data Processing Systems" or SDAU, have it notarized, and submit the form through the NPC Registration System (NPC RS). You can find a copy of the SDAU and all other details when you register with the NPC RS.

Once you submitted the same with the NPC RS, the SDAU is as good as a NPC Certificate and Seal of Registration and you can use it as proof that you have complied with the NPC in lieu of submitting the documentary requirements.

It is important to note, however, that even if you are not required to register your Data Protection Officer (DPO) with the NPC, you are still mandated by law to appoint one. A DPO basically implements privacy compliance for your business and serves as NPC's contact person if any problem arises. Although it is good practice to hire a person who at least knows the basics of privacy as DPO, as an SME it is understandable if you do not have the budget to do so. As such, the business owner can be his own DPO. Privacy can be learned anyway, just as you are doing by reading this post. Make sure that you have a document (if you are a corporation, an official Secretary's Certificate) showing that you have appointed a DPO. Also, use this time to register a dedicated email address for the DPO position (this is crucial, the email address should be for the position, not for the person occupying the position) like dpo.businessname@gmail.com or dpo@businessname.com.

Finally, if you do fall under one of the categories above - let's say, as a kiosk selling baked goods you are recording the ID details of a thousand or more PWDs/senior citizens on a given year - you have no choice but to register your DPO and Data Processing System (DPS) with the NPC. Basically, DPS is a database containing the personal data you are processing. It can be a simple notebook or an Excel sheet. To prevent further complicating this post, I might write another guide about DPS, data lifecycles, and how to use the NPC RS.

Now that you have complied with the registration requirements of the NPC, the second step is to secure your personal data. There are three areas that you need to take care of - organizational, physical, and technical. Luckily, you don't need state-of-the-art security measures since the law only mandates that you observe "reasonable and appropriate measures". Since you are an SME, you do not have the same risks and therefore do not need the concomitant security system as big corporations.

For organizational and physical measures, make sure to regularly train employees (and even the business owner) how to handle personal data. This can be as simple as not leaving documents with personal data on the counter, not using papers with personal data on it as makeshift notepads, locking cabinets or drawers containing devices or documents containing personal data, and not exposing customers' pictures and other details through the Internet. For technical measures, you do not need employ military-grade encryption, but it can be a good practice to lock company laptops, Excel sheets, Word documents or PDFs containing personal data with a password. If your email, cloud storage, or other online accounts contain personal data, make sure to use two factor authentication (2FA). When you take a look at it, security measures are just a mixture of common sense and a pinch of paranoia about keeping personal stuff secret.

Third, if you are employing CCTVs in your business, have a visible sign in the premises that you are capturing personal data through CCTV and for what purpose, like security or to prevent employee theft. Make sure that your CCTV only captures what it needs to capture (for example, captured footage does not have to cover the entire street if your purpose is only to capture the faces of persons who are coming in your store). The NPC is really anal about CCTVs.

Fourth, have a privacy notice for your employees, contractors and customers! A privacy notice is basically just a visible sign for people to know what personal data you are collecting, what for, who you share their data with, how customers can exercise their data subject rights, who your DPO is, and what your DPO's contact details are. For your employees, before they sign the employment contract, you can show them a document that you are collecting their name, contact number, address, ID number, bank account number, and other details for communication, salary and SSS/Philheath purposes. If you are utilizing CCTV in the office, you also need to tell them about this.

A privacy notice for your customers is more stringent since you have to readily show this to everyone who will interact with your business. Place the sign by your counter or POS machine, or if you are selling online, through your website. It's easy to craft a privacy notice because you can just take a look at existing businesses like your own and copy their privacy notices, of course changing the terms fitting to your own business. Do not complicate your privacy notice. The fact that you may not be a lawyer is actually beneficial. The easier your notice is to read and the less the text is in legalese, the better.

I will talk about data sharing, rights of data subjects, breach reporting, and documentation in the next guide. I know these terms are a bit scary, but don't worry, I'll try to simplify it! For now, if you are thinking of opening a business, do not be afraid of complying with privacy law. It just needs a bit of greasy hands but once you know how, it can be an easy thing to do. It's just a matter of dedication and upskilling.

See ya next time!