Streamlining Compliance with the Data Privacy Act

September 9, 2017 marks the one year anniversary of the Implementing Rules and Regulations (“IRR”) of the Data Privacy Act of 2012 (“DPA”). It marks the end of the period originally given to organizations—both public and private—to comply with the provisions of the DPA by conducting their own gap analyses or impact assessments and crafting the roadmap by which to structure their own compliance processes.

But how clear is this roadmap?
One year after the promulgation of the IRR, in negotiating the road to full compliance, organizations have been faced with multifaceted issues relating to Data Privacy, from securing the consent of the data subject all the way to the question of minimum compliance. A full resolution of these issues calls for a keen and nuanced understanding of the Data Privacy Act.

The Disini & Disini Law Office organized this symposium with the hope of providing nuanced reading of the Data Privacy Act. By resolving these issues surrounding the law, organizations can now move forward with their own compliance process, without the fear of making a faux pas that would prove costly in the future.

As the compliance period draws to a close, it is imperative that the road to compliance be made as smooth as possible.

Regardless of breadth, organizations would require all the assistance required if they hope to fully align with the demands of the Data Privacy Act.

KEYNOTE: Moving Forward with Data Privacy Compliance

As the agency primarily charged with implementing the Data Privacy Act, the
NPC stands at the forefront of ensuring compliance on the part of organizations.
The Hon. Raymund E. Liboro, Commissioner of the NPC, shall outline all the challenges faced
and surmounted by the agency in the course of carrying out its
mandate, as well as all matters that the public can expect from the NPC as the Data
Privacy Act enters full implementation.

National Privacy Commission
SESSION: DPA Compliance in A Nutshell

Before even going to the issue of minimum vs. full compliance, it is
necessary to look into how an organization is expected to jumpstart its
compliance process. This session shall put into focus what compliance
with the Data Privacy Act entails, as well as the highlights of the compliance

Disini Data Privacy Core Team
Disini & Disini Law Office
SESSION: The Role of Information Security in DPA Compliance

Some members of the information security community hold the mistaken belief
that information security circumscribes compliance with the Data Privacy Act. In
other words, they believe that, once an organization meets the prescribed
Information Security standards, there is concomitant compliance with the Data
Privacy Act. Considering that Information Security is but a small yet critical
component of data privacy, this session shall clarify the position of information
security within the sphere of data privacy, as well as the specifics of fully
complying with the security requirements of the Data Privacy Act.

Technical Director,
ECC International
SESSION: Data Breach Notification:

National Privacy Commission
In the event of a data breach, the Data Privacy Act requires that data subjects
and the National Privacy Commission be notified of such data breach. What
conditions would trigger data breach notification? In this session, insights on the data breach notification
requirement of the Act, and how a data subject may lodge a formal complaint
should this requirement be violated, will be discussed.

Complaints and Investigations Division Chief
National Privacy Commission
ACTIVITY: Data Breach Management

Under the Data Privacy Act, organizations are mandated to implement breach
management systems and procedures to maintain the confidentiality, integrity,
and accessibility of personal information in the event of a data breach. This
session, designed to teach organizations the best practices for data breach
management, shall have participants run through a whole gamut of breach
scenarios, giving them insights on the best course of action to take in the event of
a data breach.

Disini Data Privacy Core Team
Disini & Disini Law Office
SESSION: Weaponizing the Data Privacy Act

The Data Privacy Act of 2012 is a penal statute—imposing criminal liability upon
persons who violate its provisions. Given the ease by which one could possibly
be found liable under the Data Privacy Act, there exists a real danger that the law
shall be deployed to further an objective that is disparate from the
data privacy considerations. This session shall explore the risks of failing to
comply with the Data Privacy Act based on the idiosyncrasies of various

Disini Data Privacy Core Team
Disini & Disini Law Office
SESSION: Cross-border Issues

There are currently two competing privacy regimes, specifically Directive
95/46/EC, adhered to by the European Union, and the APEC Information
Privacy Framework Standards, adhered to by APEC and the United
States. Considering the significant disparity between the two regimes, it is
necessary to determine where our own Data Privacy Act is situated, as well as to
identify issues that come naturally with the transfer of personal information
across borders.

Disini Data Privacy Core Team
Disini & Disini Law Office
SESSION: Consent as a Data Privacy Fundamental

Consent is undoubtedly the touchstone of data privacy. By securing the data
subject’s consent, an organization can, theoretically, use it without running afoul
of the Data Privacy Act. However, that is a perilously simplistic reading of the
requirement for consent. This session hopes to shed light on the multifarious
requirements in obtaining consent, as well as the most efficient means of
securing such consent without straying from that which is provided under the
Data Privacy Act.

Disini Data Privacy Core Team
Disini & Disini Law Office

Hot Topics in Data Privacy Compliance


The “Hot Topics” portion of the symposium is a Q&A session devoted to answering queries of the participants according to the most pressing issues of the Data Privacy Act. The questions will be fielded by the Disini Law Privacy Core Team of the Disini & Disini Law Office.

HOT TOPIC: Data Privacy Vis-à- vis Emerging and Social Media

Technological advancements in the past 15 years has brought the power held by
traditional media into the hands of individuals. However, this empowerment of the
individual in terms of media reach brought with it new concerns, not the least of
which is data privacy. Given the increasing popularity and power of emerging and
social media, what, then, are the potential data privacy concerns that these new
purveyors of news shall face?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: Minimum Compliance Vis-à- vis Full Compliance

Many organizations operate under the assumption that there exists a minimum
threshold for complying with the Data Privacy Act. In other words, once this
threshold has been reached, then minimum compliance has been achieved.
However, the issue remains: is there such a thing as minimum compliance? Is
there a “zone” within which an organization, upon reaching such zone, is deemed
to have complied with the Data Privacy Act?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: DPA Compliance as Practice of Law

Professionals from various disciplines have undertaken and spearheaded
compliance projects for various organizations. However, given the peculiarities of
the Data Privacy Act, especially the fact that many of its aspects call for legal
determinations, is it possible that compliance work is already practice of law?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: The Research Purpose Exception

The provisions of the Data Privacy Act do not apply when personal information is
processed for research purposes. However, questions continue to hound the
research exception. Preliminarily, there is a need to determine the scope of the
research exception. Failure to resolve this will certainly put researchers at risk, as
they would not know when they should secure the consent of their subjects.
Moreover, this lack of a defined scope has resulted in the Data Privacy Act being
seen as a possible threat to the integrity and accuracy of research results, as
revealing the true purpose of the research necessitating such misdirection would,
necessarily, skew the results. How, then, should the research purpose exception
properly availed?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: The Journalistic Purpose Exception

The past few years have witnessed the blurring of the lines between journalism
and what is not. The rise of the so-called alternative media, led by individuals like
Mocha Uson, has fueled the discussions redefining journalistic boundaries. This
redefinition necessarily calls for a discussion of this new brand of journalism with
respect to the Data Privacy Act. Can these journalists of alternative media avail
of the journalistic purpose exception under the law?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: The Legitimate Interests Exception

Under the Data Privacy Act, personal information may be processed if it done
pursuant to legitimate interests. Simply put, there is no need to secure the
consent of the data subject if his personal information is going to be processed
for legitimate purposes. Given the undefined breadth of what constitutes
“legitimate interests,” imprimatur for processing hinged upon such legitimate
interests may lead to the nullification of the entire law. But is that really the case
here? Is this the provision that, as Sen Edgardo J. Angara claimed, sought to
marry the two competing privacy regimes?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: The Public Function Exception

The Data Privacy Act affords the government a critical exception by allowing it to
process personal information if such processing is necessary for the fulfillment of
the functions of public authority. However, the limits of this exception remain
undefined. Does that mean that the government need not obtain the consent of
its data subjects? Moreover, as the exception seems to apply to the information
to be processed and not to the entity processing such information, may
corporations, then, use government data without the consent of its data subjects?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: BPOs and Contact Centers

Before the Data Privacy Act took the form as we know it today, it was the BPO
industry that pushed for the passage of the law. However, in the current iteration
of the Data Privacy Act, the BPO and contact center industry is essentially
exempt from the coverage of the law, at least with respect to the lawfully
collected personal information of foreign residents. But is the BPO and contact
center industry completely exempt? What are the aspects of the industry that
remain to be covered by the law?

Disini Data Privacy Core Team
Disini & Disini Law Office
HOT TOPIC: Personal Information vs. Sensitive Personal Information vs.
Personal Data

The Data Privacy Act has devoted provisions for the purpose of dealing with
personal information and sensitive personal information separately. This
apparent difference in treatment calls for a discussion of whether personal
information, sensitive personal information, and personal data are mutually
exclusive concepts. The answer to this preliminary issue would have grave
implications on how the Data Privacy Act can and will be interpreted. As an
example, if personal information is not included within the concept of sensitive
personal information, then the research exception under the Data Privacy Act
cannot apply to sensitive personal information. How, then, should these be
concepts be treated?

Disini Data Privacy Core Team
Disini & Disini Law Office