The Philippines and the European Union have taken steps in protecting the data and privacy of its residents. Through the enactment of the Data Privacy Act (DPA) and the General Data Protection Regulation (GDPR), people are now able to have the protection they are looking for online. This means changes for businesses everywhere that are planning to reach consumers in the Philippines, the EU and many other countries.
Companies need to look at the way that they are handling the personal data of their customers and have an action plan in place to ensure their privacy is protected. Without a strong understanding of what the DPA and the GDPR mean and how they affect your business, you could find yourself in a situation with the Philippine Privacy Commission (NPC) or EU Regulators that you didn’t count on.
Some businessmen discuss some of the more unexpected consequences of the new data privacy protection regulation. Here’s what they had to say:
- Restriction of privacy and innovation
Data privacy regulations (DPR) will restrict—not enhance—privacy, freedom and innovation. The result will be regions of noncompliance, enormous expense and uncertainty.
- Roadblocks for blockchain data storage
DPR could impact the decisions and data sets being stored and collected in emerging private and public blockchains. This may create roadblocks for companies looking to embrace blockchain to store any data that may fall under DPR.
- Opt-in fatigue
One of the most unexpected consequences of DPR is the wave of new regulations in jurisdictions outside around the world. Another unintended impact is “check the box” fatigue where opt-in consent language is presented so frequently on web sites and apps that consumers don’t read the consents and just check the box, waiving their privacy rights.
- Poor customer service
One DPR by-product distortion or unintended consequence is excessive regulation leading to poor customer service. The pendulum has swung too far and will be moderated by citizen feedback.
- Small businesses getting hurt
The companies that are best prepared for DPR are the big ones—those that have the money to pour into their tech and legal teams for ultimate compliance. The small and medium-sized businesses, however, may be less prepared, making them more vulnerable to potential fines and penalties.
- The slow death of free services
If a service is free, then your data is the product. We all love using Facebook, YouTube and the many other social-media platforms. However, we fail to realize how these businesses operate. If regulations strangle business, then the alternative is a paid model.
- Photography being part of DPR
Unexpectedly, photography at work and school is also a part of DPR. Even if you have asked for consent of employees, parents and students in advance, every depicted person now has a right to ask for photo removal. Companies have to make sure all copies of personal information can be accessed at a moment’s notice, with ongoing assessment and auditable accountability across all systems.
- C-suite becoming responsible for data security
DPR marks the first time that multiple key departments must be in sync to achieve effective management, especially in light of Gartner’s Integrated Risk Management spectrum, which defines three risk types: strategic, operational and information technology. Historically, IT has been responsible for data security and network protection, but DPR’s requirements make this a C-suite affair. This is a whole new ball game that many didn’t see coming.
- Restricted technology access for citizens
For example, most apps in Apple and Android app stores collect some kind of personal information, and most of these developers are too small to manage these regulations.
- Reduced ability to track cybercrime
An unexpected consequence of the DPR regulation involves the reduced ability to track and detect cybercriminals. Web domain registration details such as name, address and contacts of domain owners have been crucial in linking malicious sites to hackers. Unfortunately, this outcome was never foreseen since the regulation focused on protecting the consumer data without explaining how malicious users and activities would be addressed.
- More meaningful customer engagement
Companies with insincere marketing techniques have encountered problems with DPR. However, the overall effect on the industry is positive, as companies are now forced to have meaningful interactions with their customers. Really engaged customers are far more valuable than uninterested ones. If someone has accepted your services they will interact more, and your marketing efforts will become more effective.
- Increased value of first-party data
As DPR compliance has taken a hold not only across the Philippines but across the globe, the value of first-party data has grown exponentially, while third-party data becomes a commodity. First-party data is not only being leveraged to drive personalized experiences, but we’re seeing consumers now expect hyper-personalized brand interactions in exchange for the detailed information they provide brands.
Despite the critical views expressed by businessmen, organizations have no choice but to ensure they have the right framework in place for data privacy protection and gather relevant information from all corners of their organization and then act on it. To achieve that and monitor the behavior of staff in their organization, automation is needed. The tool is available in the Philippines. The software that allows this to happen and is capable to guide you throughout the journey of data privacy protection is called “Data Protection Management System” or short DPMS.
We would love to help you design a fully risk-based approach to compliance.
Contact me at Schumacher@eitsc.com.