Important usual disclaimer: Sam is not a lawyer, please don’t sue Sam, please do speak to your legal counsel if you have questions about regulatory compliance. Thanks.
When I think of the Philippines, my first port of mental call is a place called Charlh’s Bar. Once situated on White Beach in Boracay, it was fashioned in a semicircle and perfectly positioned to experience stunning sunsets. Regulars and tourists alike filled the bamboo bar stools, whilst the friendly staff mixed cocktails and cracked open ice-cold San Mig light beers. Once the sun had retired for the day, local musicians would cram in behind the staff and play covers until the small hours.
After 18 years in business, Charlh’s Bar was removed from the beach a few years ago because it was built too close to the sea. Whilst this broke my heart a little, Boracay was in dire need of renovation, as years of ever-increasing tourist numbers had put the island's infrastructure and ecosystem under great strain. In 2018, the government took bold strokes and closed the island to visitors entirely for a period of time, implementing a mass cleanup and fully enforcing the rules around building and environmental regulations.
So, What Does This Have to Do with Data Privacy?
OK, I’ll stop reminiscing and get on with the story. There is a connection, I promise. The Philippines is well-known for having strict laws, and whilst it took arguably longer than it should have to fix Boracay, the country has blazed a trail in ensuring organisations protect the personal data of citizens and residents.
In August 2012, the Data Privacy Act (DPA) was signed into law, and many parallels can be drawn with the more recent General Data Protection Regulation, aka everyone’s favourite(?) four letters: GDPR. Organisations must only process necessary data, access controls need to be implemented, privacy impact assessments must be conducted, security controls must be tested for efficiency—the list goes on.
No Two Compliances Are Totally Identical
However, there are some nuances between the two laws, including one massive difference: the 2012 DPA infringement penalties also include a possible custodial sentence of up to six years imprisonment. Additionally, data protection officers and breach reporting rules are mandatory, and organisations must submit a written annual report documenting all security incidents and personal data breaches.
One of the biggest complaints I’ve heard about GDPR is that it’s vague. No-one fully knows whether they are actually completely compliant, and most organisations are doing their best to meet the regulation whilst crossing their fingers and hoping that what they’re doing is enough. That said, GDPR is much more recent than the Philippines DPA, so clarification is ongoing and the awesome folks over at EU Working Party 29 are churning out regular guidance.
The Filipino government continued on its path of data privacy and security goodness by issuing supplementary rules in 2016 and forming a new privacy agency, called the National Privacy Commission (NPC). For organisations in the Philippines, the NPC’s website provides excellent and vitally specific details on what organisations need to do to ensure compliance. It also issues clear information about the rights of individuals. If you’ve read our blog on my love for the OAIC, then you’ll already know I am a big fan of governments providing clear, actionable requirements and advice.
One such requirement under the DPA is the creation of a security incident response team. This can be an in-house or outsourced team, which is great news for organisations with smaller security teams. There are also plenty of managed detection and response (MDR) offerings available, but service levels and deliverables can vary widely, so it’s always good to evaluate MDR vendors up front.
Another nuance between GDPR and the Philippines DPA is the specific requirement to create a privacy manual whereby personal data privacy and security controls are documented. The NPC has provided solid examples of what to do and what to document. For instance, as part of its requirement for having a process for regularly testing, assessing, and evaluating the effectivness of security measures, it provides the following example:
"The organisation shall review security policies, conduct vulnerability assessments, and perform penetration testing within the company on regular schedule to be prescribed by the appropriate department or unit.”
As a security professional, I am also overjoyed to see the NPC’s published best-practice information, which covers both data centers and computers. Plus, it also provides specifics around the application of encryption, including calling out 256 as an appropriate standard.
The Global Data Protection Regulatory Wave Continues to Gain Momentum
Not all countries are yet taking personal data protection quite as seriously as the Philippines. But IMO, it’s safe to predict that the vast majority of those who haven’t caught up will be doing so in the not-so-distant future. The Indian government is currently reviewing a proposed bill, and on a U.S. state level, California recently passed the Consumer Privacy Act of 2018, which goes into full effect in 2020.
Wherever you’re reading this from, if you are looking for ways to better secure your systems from vulnerabilities, quickly detect attackers, or improve your incident response capabilities, Rapid7 is here to help. You can get started with our free and fully functional Insight platform trial.