#90

This is the continuation of my "Privacy for SMEs" guide here (https://listed.to/@rhynetoken/55441/92).

Coming from the first post, you now know what personal data you are processing with your business (and determining whether it is necessary to process in the first place), have complied with registration requirements of the National Privacy Commission (NPC), applied reasonable and appropriate security measures, placed CCTV signs at your premises (if you are using one), and have a privacy notice ready for your employees and customers. You have actually done more than most of your peers, but unfortunately, compliance with privacy law does not stop there.

Continuing with our fifth point: Dispose of documents and databases containing personal data carefully! If you can, make it a point to invest in cross-cut shredders that can securely dispose of physical documents and make sure to clear your trash bin if you wish to permanently delete electronic documents (whether locally or in the cloud). Note that improper disposal of personal data is a crime under the Data Privacy Act (DPA) which carries imprisonment AND a fine!

Moreover, relevant to this point, do not keep personal data perpetually! Always take a look at what data you currently have and ask yourself whether you still need it or not. The DPA does not look favorably at perpetual storage of personal data for purposes that are yet to come. That's fair, because your customers might not have been informed that you are going to use their personal information for purposes other than the one you have communicated with.

A common question that I get as a privacy lawyer is how long to keep business records for under tax laws. I believe this is a wrong question to start with (though the answer in general is ten years) since the more proper question is whether your business records should contain personal data in the first place. In your books of accounts, make sure to only disclose customer or supplier personal data when completely necessary (easier done if you are not a VAT-registered taxpayer). It is also important to remember the technical and physical security measures we talked about in the first part of this guide to keep these business documents and books safe.

Sixth, do not share personal information to a third party unless absolutely necessary, and this goes for law enforcement authorities. If a policeman ever goes to your place of business and asks for a copy of a CCTV footage, for example, make sure that they have a written request before you comply and that they have provided details why they are requesting for such information in the first place. This is simple CYA - cover your ass - in case people sue you for not taking due diligence in sharing personal information to third parties. That you just complied because the other party is a government representative is not a satisfactory answer!

If a private third party asks for personal information of another person (let's call this the first party), determine whether the latter gave their consent for you to give such information to the third party. If they did not, ask the third party what their purpose is for asking such personal information. In general, these are allowable grounds for asking the personal information of the first party:

1. The third party will file/has filed a case in court (whether or not the other party in the case is the first party), and the personal information is necessary for the case; and

2. The first party is having a health emergency, and the requested personal information will be used to address such emergency.

In supplying such information to the third party, you have to inform the first party that their information has been disclosed as a matter of transparency, unless the purpose of the third party for requesting such information is to investigate the criminal, administrative or tax liabilities of the first party. Moreover, similar to asking written requests from law enforcement authorities, it is also good practice to ask for a notarized affidavit from third parties that they will only process the information of the first party for the purpose that they have declared, and not to publicly disclose the same.

Moreover, make sure that when disclosing personal information to third parties, only disclose what is required. For example, when a third party asks for CCTV footage of a crime that occured at your place of business from 1:00 to 1:20PM, there is no point to share footage from 12:00NN to 3:00PM, unless the same has materiality to their case. Do not be afraid to argue with law enforcement authorities whether the personal information they are asking is really required for their case buildup, because at the end of the day, it will be you who will be liable if you improperly disclosed personal information. Always CYA!

Seventh, make sure to have a plan in place when a personal data breach happens. You will know there is a breach whenever the integrity (e.g., you have accidentally altered names of your employees in an Excel sheet), confidentiality (e.g., a hacker has accessed personal information of your customers), and availability (e.g, you have mistakenly disposed of customer data that you actually still need) of personal data has been compromised. If you take a look at the examples inside the parentheses, you can see that a breach can range from minor to panic inducing security incidents.

As an SME, there are few instances when you have to notify the NPC or your data subjects about a data breach. Notifications generally occur when it involves sensitive and other crucial personal information like government ID numbers, bank records, and login details. Despite this, it is still important to craft a plan whenever a breach does occur. For example, when dealing with Excel sheets and Word documents, enable backups and version history so you can go back to an earlier copy if you accidentally altered or deleted personal data. When dealing with CCTVs, make sure that only authorized personnel has access to the footage. I have seen barangay halls and police stations proudly displaying live CCTV footage of their surroundings right smack by their entrance - that shouldn't be the case! Personal information should be accessed, used, and disposed on a need-to-know basis.

Eighth, your employees, contractors, business partners and customers have the right to access their own information. In the field, this is sometimes called Data Subject Access Requests or DSARs. This includes employment records for your employees, sales or marketing records for your customers (if you keep one), and even CCTV footages of themselves for everyone who entered your place of business. Data subjects have a lot of rights under the DPA - but all you need to know now is that they have the right to access their own information, the right to be informed what personal information you collect from them and what you do with these data (remember your privacy notice?), and the right to rectify any wrong personal data you may have about them. This is why your privacy notice should contain the contact details of your Data Protection Officer (DPO) because they are who data subjects will contact in case they wish to exercise their rights.

Data subjects also have the right to have their personal information erased or object to your processing of their personal data, but if you followed my instructions and keep only necessary personal data, you can tell these data subjects that you can't delete their personal data because (1) you are keeping their personal data to follow a legal obligation (for example, tax laws or there is a subpoena); or (2) you need the personal data to continue executing a contract with said data subject.

Ninth, let's talk about marketing. Although there is some basis to the thinking that you do not need your customers' consent before you can market things to them, NPC is yet to have a clear stance on this one (and even if they did, you need to conduct something called legitimate interest analysis which may require expertise in the field) so it would be better if you ask your customers for consent before you send them marketing materials through email, SMS, or calls. Additionally, always remind your customers that they can unsubscribe from your marketing materials at any time and make it easy for them to withdraw their consent to be the subject of direct marketing. Of course, you need to record these preferences and honor your customer's wishes.

If you intend to share personal data of your customers to a third party for marketing purposes, again, it is good practice right now to promptly tell your customers you are sharing their data and ask consent. You also need a comprehensive agreement for such data sharing. Again, other privacy professionals may not agree with me on this one, but again, I am assuming you are an SME and do not have the skills or budget to properly balance your business' marketing needs and your customer's rights to be left alone. It is better to just ask for customer consent.

Tenth and last on the list, DOCUMENT EVERYTHING! Everything that I said since the first part of this guide constitutes your privacy management framework - from the list of personal data you collect, what you do with them (which can already be considered as your records of processing activities or RoPA), your NPC Certificate of Registration or in lieu thereof your SDAU, the security measures you set up (which can be your Security Policy), the privacy notices you wrote, what you do in case you have CCTVs (which can be your CCTV Policy), what to do when you share data with the government or private third parties (which can be your Data Sharing Policy), how to properly dispose of data (which can be your Retention and Disposal Policy), what to do in case of breach (which can be your Breach Management Policy), what happens if a data subject exercises their rights (which can be your Exercise of Data Subject's Rights Policy), and what to do and not to do in case of marketing. These policies all taken together can be your Privacy Manual.

Congratulations, you are now partly compliant with Philippine Privacy Laws! I say "partly" because truth be told, compliance is not an end but rather a journey. There is still a lot to learn, such as privacy impact assessments, control mechanisms, and privacy-by-design and privacy-by-default practices. These are advanced topics that I may write a further guide in the future.

The privacy field is rapidly changing, not only in the Philippines but worldwide. Thus, as a business owner, it is very important to register with the NPC and watch out for updates in the field because what may be a mere talking point now (like the use of Artificial Intelligence) can be a regulation in the future that all businesses have to comply with, including yours.

Good luck with your business, and I hope you stick around this blog for more privacy-related discussions (sandwiched between random musings and creative nonsense).