Leaders play an essential role in creating a privacy culture within an organization. A privacy culture is one in which the protection of personal data is seen as an integral part of the organization’s operations, and where all members of the organization are aware of their privacy responsibilities. Leaders are responsible for setting the tone for the organization’s privacy culture, and for ensuring that the organization’s policies, procedures, and practices reflect a commitment to protecting the privacy of their data subjects.
Leaders must communicate their commitment to privacy to their employees, customers, and other stakeholders. This can be done through various methods, such as employee training, customer education, and public statements. Leaders should also ensure that their organization’s policies, procedures, and practices reflect their commitment to privacy, including implementing measures to protect personal data, such as encryption, access control, and data minimization.
To ensure the organization’s privacy culture is maintained, leaders are expected to be monitoring employee and customer behavior and responding swiftly to any privacy breaches. They should also ensure that their organization’s privacy culture is reflected in its public image. This includes promoting the organization’s commitment to privacy in its marketing materials and on its website. Leaders should also strive to create a privacy-conscious culture through their interactions with employees, customers, and other stakeholders.
While the Philippines is one of those countries in the world that has enacted its own Data Privacy Law (Data Privacy Act of 2012), privacy legislations playing catch up with new technology is considered a threat.
In their recently concluded webinar on Data Protection Predictions for 2023, privacy experts at the Data Protection Excellence Network (DPEX) have identified some key challenges that should be considered in strengthening the organization’s privacy strategies. Leaders are expected to take into consideration the ongoing digital transformation, which will create increased privacy and security threats. This will be driven primarily by the growth of the 5G World, and the pervasive use of new technologies (IoT), including post Covid19 recovery efforts. This will mean more data being collected and shared about individuals, raising concerns about how securely data is collected, stored and managed. There are also concerns about the use of AI-powered facial recognition, biometric scanning, and other forms of surveillance technology, including collecting data from children, leading to concerns about the ethical use of these data.
With the increasing number of privacy breaches around the world, leaders are expected to draw continued attention to support integrated data strategy for digitalization. Leaders should urgently direct the review of their standard operating procedures to comply with all Data Privacy obligations. It is highly recommended that organizations conduct data protection impact assessments to address privacy and security risks. These assessments, including the conduct of third-party due diligence for new projects and contracts, and should be revisited and reassessed regularly.
From an organizational perspective, there are several key data protection and privacy initiatives that business leaders should take into consideration:
Data Privacy by Design
Companies must begin to look at data privacy from the start of any product or service development process rather than as an afterthought. This will mean incorporating security measures into the design of a product or service, as well as having procedures for safeguarding data that are in line with current regulations.
Balanced Security Approaches
Companies must strike a balance between providing secure products and services, while ensuring users have access to those products and services without violating the rights of the data subjects and considering the amount of data collected. To achieve this, organizations must be cognizant of the user experience and build security measures into their products and services that are unobtrusive.
Companies must review how data is collected, processed, managed, including who has access and a clear purpose of why data is being collected, including those being collected, processed and stored by contracted third parties. This will mean having detailed data sharing agreements, policies and procedures for managing data, as well as a process for ensuring compliance with data protection laws.
A Culture of Privacy & Security
Business organizations must foster a security culture from the top down, ensuring that all employees understand the importance of data privacy and have access to security training and awareness on how to protect data. This means not just having policies in place but also incorporating those policies into everyday activities, communicating them clearly to all stakeholders and holding everyone responsible to the same standard.
As organizations consider these initiatives, they must do so in a way that respects their customers’ privacy while also providing them with safe and secure products and services. By taking a holistic approach to data privacy, organizations can shore up both security and their overall customer experience. A good reference for these initiative will be ISO 27701 which is the newest standard in the ISO 27000 series, explaining what organizations must do when implementing a PIMS (privacy information management system).
Compliance and Accountability
In 2012, the Philippine Government enacted Republic Act 10173 otherwise known as the Data Privacy Act of 2012.
“The Data Privacy Act of 2012 is a 21st century law to address 21st century crimes and concerns. It (1) protects the privacy of individuals while ensuring free flow of information to promote innovation and growth; (2) regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and (3) ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC).”
Aside from the basic requirements mandated by the DPA – registering with the National Privacy Commission (NPC), and designating a Data Protection Officer (DPO) – leaders should also be able to prioritize the creation of a data protection office which should also focus on business objectives rather than just compliance, both operational and demonstrable, and to display a culture of accountability and assurance.
Using the NPC’s 5 Pillars of Compliance and Accountability, it is imperative for Philippine businesses and its leaders to:
- Demonstrate their commitment to comply, by appointing a Data Protection Officer (DPO).
- Know your processes and risks by conducting Privacy Impact Assessments.
- To be able to write your plan and create a Privacy Management Program.
- Be accountable and implement your Privacy and Data Protection Measures.
- Be prepared and regularly exercise your Breach Reporting Procedures.
Some business organizations have identified a number of challenges and priorities when operationalizing an effective data protection and privacy program:
- Obtaining sufficient resources or budget,
- Difficulties working with various business functions, and
- Building a privacy-driven culture.
Leadership is critical in being able to develop an ethical, data and privacy-driven culture. The potential benefits are not only a compliance program to mitigate the risk of a future legal or enforcement claim, but how you can then leverage data to achieve strategic digital transformation objectives, earn the trust of your customers and enhance your organization’s reputation.
Business leaders have a very important role to play in creating a privacy culture within their organization. They should remain engaged in the data discussion because data may be their biggest asset, able to sink their shares or elevate them to record highs. Leaders are expected to support initiatives to increase awareness of privacy risks and data protection requirements thru regular training, reminders and competency assessments. They should continue communicating their commitment to privacy, implementing measures to protect personal data, and strengthening a privacy-conscious culture, which may support their efforts in being able to align their data programs across their future-ready enterprise.
Bobit Silerio is a Certified Data Protection Officer, and is the Data Privacy Strategist at Firesprings Consulting, Inc.