Strict EU data rules to affect PH BPOs

The business process outsourcing (BPO) industry needs to adjust to stricter regulations in Europe and Asia.

The European Union’s new General Data Protection Regulation, which takes effect in May next year,states that a data processor faces legal obligations in security, record-keeping and cross-border transfers. Depending on the breach, sanctions could go as high as four percent of a company’s annual turnover.

The need to comply with data privacy regulations here and abroad and even to upgrade systems in place was stressed by Raymund Liboro, chair of the National Privacy Commission, during the Data Privacy Asia, the annual data privacy conference organized by the Contact Center Association of the Philippines in partnership with Data Privacy Asia Pte. Ltd. of Singapore.

“The EU regulation would require any country to attain ‘adequacy’ status first before being allowed to process EU citizen’s data outside Europe,” Liboro said.

Other countries would be strict as well. Singapore and Malaysia have enacted comprehensive data privacy laws patterned after the European model.

Japan, which prides itself as having one of the oldest privacy laws in Asia, recently amended its Personal Information Protection Act. It stipulates prior consent of a data subject if the country to which the information is being transferred to does not have a system for protecting personal data that is equivalent to that of Japan’s.

Noting that public awareness of data privacy is still a work in progress, Liboro said the Philippines has some catching up to do.

“Data Privacy in the Philippines is quite unique. Not only do we have 105 million Filipinos to protect, we have an entire industry to protect too,” he said, referring to the BPO companies.

A year ago when the National Privacy Commission was put in place, data protection officers, privacy impact assessments or breach notification protocols were not on the radar.

All are now required by the Data Privacy Act of 2012 which regulates how entities collect, use, disclose, store and dispose of personal data and ensures the compliance of the entire country with international standards for data protection.

It governs the protection of privacy and the trans-border flow of personal data amid the growing role of digital e-commerce and trade.

The business, afterall, involves processing personal data that cuts across borders, mostly in countries with strict privacy concerns.

Liboro said it makes sense for BPO companies to ensure the confidentiality of information so it won’t lose clients.

“As the BPO industry multiplies its contributions and gains greater momentum, so do the risks to personal information increase, and so does the potential for loss in consumer confidence and trust,” Liboro said.

“In other words, the stakes are higher now because the potential for harm is exponentially greater,” he added.

He urged Personal Information Controllers (PICs) and Personal Information Processors (PIPs) to comply with general data privacy principles.

PICs are responsible for data, including information that have been transferred to a third party. PICs may outsource the processing of personal data from PIPs.

A BPO company may be classified as a PIP if its services are outsourced by a principal or a client to process data on their behalf.

General data privacy principles, for example, require that data subjects have the right to be informed. They have the right to have access to their data; to object, correct and rectify the data; to block or remove data; to complain; and to be indemnified.

Personal information may only be processed with the rights of data subjects in mind; the information is always accurate; information is collected only adequately but not excessively and with a stated purpose; information is kept only for the time it serves its purpose, and never longer than necessary; and personal data must be secured.

They also have the right to data portability or to take or transfer personal data as they desire.

In addition, information processing should adhere to the general principles in the collection, processing and retention of personal data, as well as to the principles of data sharing, and criteria for lawful processing of personal information.

“The PIC and PIP should always uphold the rights of the data subjects, and provide adequate means for them to assert these rights,” Liboro said.

“PICs and PIPs shall implement reasonable and appropriate security measures for the protection of personal data. The security measures shall aim to maintain the availability, integrity, and confidentiality of personal data and are intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing,” he added.

As personal data processor, BPOs are required to adhere to these rules, Liboro pointed out.

Source: https://goo.gl/W53M9h