This issue was raised by National Privacy Commission (NPC) Chairman Raymund Liboro very recently. He added, one of the biggest concerns in the Philippines is business data negligence where data breaches due to carelessness happen. “Being hacked is not a crime, but being negligent is.”
To demonstrate what is happening here and elsewhere, I would like to focus on recent developments in Singapore where an increased number of enforcement actions were initiated due mostly to common mistakes in failing to protect personal data.
The Data Protection Excellence (DPEX) Centre, the autonomous research and education arm of Straits Interactive (of which the European Innovation, Technology, and Science Center Foundation is a member), announced that the number of organizations breaching Singapore’s Personal Data Protection Act (PDPA) has reached record levels and have already surpassed the total number of enforcement cases in 2018.
As of the end of August 2019, there were 26 organizations who were either fined, or warned in enforcement cases, as compared to 23 organizations recorded in the full year of 2018. This represents a 13-percent increase in enforcement action by the Personal Data Protection Commission (PDPC). A total of S$1.28 million (P48.4 million) in fines have been issued to date this year, the majority of which came from fines imposed because of the SingHealth-IHIS data breach. The accumulated fines this year dwarfs the total amount recorded from 2016 to 2018, which amounted to only $339,000.
Kevin Shepherdson, head of DPEX Centre and chief executive officer of Straits Interactive, said: “About 80 percent of all valid cases were due to the breach of the protection obligation where personal data was compromised and was leaked, mostly due to the organization’s employee error or negligence instead of malicious activity. In fact, only 15 percent of such enforcement cases were due to a cyber attack. This amounts to about four enforcement cases a month. As such, organizations are advised to beef up their governance and data protection practices to proactively address common breach scenarios and demonstrate accountability, or they risk enforcement action.”
Summary of findings (2016 to present)
Top 10 common causes of PDPA breaches
1. Untrained staff
2. No data protection policies
3. Inadequate security controls
4. Lack of appropriate SOPs
5. Weak passwords
6. Poor system/software design
7. Sending to wrong recipients
8. Failure to verify the accuracy of processed data
9. System security not audited regularly
10.Error in processing/printing
Top 5 Industry Sectors
1. Financial (14 percent)
2. Retail (14 percent)
3. Volunteer Welfare Organizations (10 percent)
4. Professional Service (9 percent)
5. Food and Beverage (9 percent)
Top Breaches of PDPA Obligations
1. Protection-section 24 (80 percent)
2. Policies-section 12a (17 percent)
3. Consent-section 13 (16 percent)
4. DPO compliance-section 11 (9 percent)
5. Purpose Limitation-section 18 (8 percent)
The increased enforcement action will likely prompt more organizations to go for the Data Protection Trustmark (DPTM) Certification, as having accountable practices is one of the conditions under PDPC’s Active Enforcement Framework where organizations may request for an undertaking in the event of a common breach of a PDPA obligation. In addition, they are expected to have an effective remediation plan.
In this context, it is good to note that the NPC plans to launch the Philippine Privacy Trust Mark before the end of the year.
Looking at the development in Singapore and the plans of NPC’s Liboro, it is pretty clear that you and your company will not get away with negligence in data privacy protection in the future! You better act now. If assistance is needed, let us know. You can contact me at schumacher@eitsc.com.