As Philippine businesses grow globally, they handle data that must follow more than just local laws. For a data protection officer in the Philippines, understanding the country’s Data Privacy Act (DPA) of 2012 is a given. However, to comply with global rules, they also need to be experts on the European Union’s General Data Protection Regulation (GDPR). This article will provide a comparison of the DPA and GDPR, highlighting their key similarities and critical differences. This knowledge is crucial for any DPO whose organization engages in global operations.
Understanding the Scope: When Both Laws Apply
A common mistake is thinking that a Philippine company only has to follow Philippine laws. The reality of data privacy laws is far more complex.
The DPA’s Territorial Reach
Organizations that handle personal data in the Philippines are primarily subject to the DPA. However, if the organization has facilities or equipment in the Philippines that are used for processing personal data, its scope may be expanded to include activities conducted outside the nation. This implies that a Philippine business is subject to the DPA if it handles the data of its local clients.
The GDPR’s Extraterritorial Power
In contrast, the GDPR has a far wider reach. Regardless of where the data is processed, it safeguards the personal information of EU citizens. This implies that a Philippine business is liable under the GDPR if it sells goods or services to EU citizens or even if it merely tracks their online activity (for example, by using cookies on websites). Therefore, a Philippine-based business that has clients in Germany or Italy needs to be ready to adhere to both the GDPR and the DPA.
Key Similarities: Foundational Privacy Principles
The fundamental concepts of data privacy underpin both the DPA and the GDPR, notwithstanding their variations in application and sanctions. Building a dual-compliant privacy program starts with an understanding of these common principles. Both laws emphasize:
Transparency and Accountability: Both require organizations to be transparent about how they collect and process personal data and to take full responsibility for their actions.
Lawful and Fair Processing: Both mandate that organizations have a legal reason for processing personal data, ensuring that the process is fair to the data subject.
Data Minimization and Purpose Limitation: Both laws state that organizations should only collect the data they absolutely need for a specific purpose and should not hold it for longer than is necessary.
Critical Differences: Where Compliance Overlaps
While the basic principles are alike, the main differences are in how the laws are put into practice and enforced. These are the areas where a DPO must be especially watchful.
Legal Basis for Processing
Although both laws demand a legitimate purpose for processing data, the GDPR takes a more thorough and stringent approach. Consent is the primary legal justification for the DPA. The GDPR, however, provides six legal reasons, including “legitimate interests,” which is more flexible, but it also requires a careful check to make sure it’s balanced with a person’s rights. The GDPR has a far more stringent consent requirement. It cannot be implied; it must be an explicit affirmative action.
Data Subject Rights
Although data subjects are granted a number of rights under both laws, the GDPR contains some important rights that are less obvious under the DPA. For instance, the GDPR’s “Right to be Forgotten” is stronger than the DPA’s “Right to Erasure or Blocking,” enabling individuals to request the deletion of their personal data under specific circumstances. The “Right to Data Portability,” another feature of the GDPR, allows users to access and reuse their personal data across various services for their own purposes.
Breach Notification Timelines
Organizations must report data breaches under both laws, and their deadlines are fairly comparable. If a breach meets specific requirements, the DPA requires that organizations notify the NPC and impacted data subjects within 72 hours of learning about it. Similar 72-hour notice periods for notifying the appropriate supervisory body apply under the GDPR. In order to guarantee prompt notification to the NPC and, if relevant, the EU authority, a DPO must have a dual breach response plan.
Penalties and Fines
Probably the most significant distinction between the two laws is this one. The GDPR has far harsher penalties than the DPA, which only imposes fines and possible jail time for breaking the rules. Large fines of up to €20 million or 4% of a company’s worldwide yearly income, whichever is higher, can result from a serious GDPR violation. Any Philippine organization handling EU data must comply with GDPR due to the financial risk involved.
A Practical Guide for the Dual-Compliant DPO
For a data protection officer in the Philippines, navigating these two laws requires a strategic and proactive approach.
Audit Your Data Processing Activities
The first step is to thoroughly check all data processing activities. The DPO must map out where data comes from, what kind of data it is (e.g., personal, sensitive), and where it goes. This is especially important for identifying any data from EU citizens that falls under the GDPR.
Prioritize the Stricter Standard
As a general rule, it is best for a DPO to adopt the stricter GDPR standards for the entire organization. By using the GDPR’s stricter rules for consent, clearer policies, and stronger data rights, a company can be sure it also meets the DPA’s requirements.
Review and Revise Privacy Policies
Privacy policies and notices must be reviewed and updated to reflect the requirements of both laws. These documents must be transparent, easy to understand, and clearly explain the legal reasons for processing, the rights of data subjects, and the contact information of the DPO.
Training and Awareness
Finally, the DPO must conduct regular training for employees on the nuances of both the DPA and the GDPR. This ensures that all employees, from marketing to IT, understand their job in protecting data and the serious risks of not following the rules.
Key Takeaway
For businesses with global operations, the data protection officer in the Philippines must be an expert in both the DPA and the GDPR. While both laws share the same goal of protecting personal data, their differences in scope, data subject rights, and, most importantly, penalties require a careful and deliberate strategy. By being proactive and following the stricter rules of the GDPR, a DPO can manage both laws, avoid legal risks, and build a reputation of trust in the global market.
