article banner
From Where We Sit

Another data protection regulation

Renan A. Piamonte Renan A. Piamonte

It’s normal to receive emails on updated terms of service from an online account, such as Facebook. In the past two months alone, I have received similar emails from Microsoft, Google, Yahoo, Airbnb, Facebook, LinkedIn, Twitter, Fitbit, Uber and Paypal. Getting one or two such emails may be a coincidence, but receiving that many is not. The surge in the number of emails from tech companies updating us on their privacy policies is also attention-getting: the normal legalese full of illegible descriptions of terms and conditions was replaced by a clear, easy-to-read style.

All of these are related to the General Data Protection Regulation (GDPR) that comes into effect next week.

The European Union’s (EU’s) new data protection law does not only cover all businesses operating within the EU, but also the companies that trade with EU-based businesses. For many of us, we may not think of individual European countries as significant business partners of the Philippines. However, as an economic bloc, the EU is in the Philippines’ top three largest trading partners for goods and services, even bigger than the United States.

The GDPR, therefore, is not something to be brushed aside as irrelevant, especially since the penalties for non-compliance can be as high as €20 million, or 4 percent of annual sales, whichever is higher.

The good news, though, is that companies complying with the Philippines’ Data Privacy Act (DPA) of 2012 have a very good chance of being ready for the GDPR, since the DPA is largely based on international data privacy frameworks such as the GDPR.

Like the DPA, the GDPR will introduce wide-ranging changes that require thorough understanding, internal stakeholder acceptance, and appropriate preparation and implementation across the whole business. In a recent publication for GDPR issued by Grant Thornton International, the following key changes were highlighted:

>  Better rights for data subjects – The largest shift is that individuals will benefit from greatly enhanced rights, such as the right to object to certain types of profiling and automated decision-making. Consent requirements will also be more stringent. Consent must be explicit and affirmative, it must be given for a specific purpose, and it must be easy to retract. Individuals may also request that personal data be deleted or removed if there isn’t a persuasive reason for its continued processing.

> Increased accountability – Organizations will have far more responsibility and obligation. They will need to publish more detailed fair processing notices, informing individuals of their data protection rights, explaining how their information is being used, and specifying for how long. The new regulation also embeds the concept of privacy by design, which means that organizations must design data protection into new business processes and systems.

> Formal risk management processes – Organizations must formally identify emerging privacy risks, particularly those associated with new projects, or where there are significant data processing activities. They must also maintain registers of their processing activities and create internal inventories. For high-risk data processing activities, Data Protection Impact Assessments (DPIAs) will be mandatory. It will also be compulsory to appoint a Data Protection Officer (DPO).

> Significant sanctions – Penalties for noncompliance will rise considerably, up to €10 million, or 2 percent of annual sales (whichever is greater) for minor or technical breaches, and €20 million, or 4 percent of turnover for more serious operational failures. Investments in new tools to protect data have become relatively cheaper.

> Data processing requirements – The regulation also imposes new requirements on data processors, and includes elements that should be addressed contractually between data processors and data controllers.

Assuming that a Philippine company is already compliant with the DPA, there is still a need for continuous improvement to ensure sustained compliance with both the DPA and GDPR. Companies should develop a competent team or appoint a trusted advisor to assess the effectiveness of data protection efforts and perform GDPR and DPA audits. Data risk management should also be integrated into the overall risk management structure. Lastly, data protection training is expected to be a regular feature of both onboarding and annual training programs.

These measures may seem a lot, but they represent the price we have to pay to protect data.

Renan Piamonte is the Risk Management partner of P&A Grant Thornton. P&A Grant Thornton is one of the leading audit, tax, advisory, and outsourcing firms in the Philippines, with 21 partners and over 900 staff members. For comments, please email or Visit our website:; Twitter and Instagram: pagrantthornton, and FB: P&A Grant Thornton.


As published in The Manila Times, dated 16 May 2018