How is GRC and Data Protection converging?

Data protection has gained prominence in recent times, driven by digitalization, increased awareness of consumers about data infringements, as well as, the enforcement of laws. In extending operational compliance, data protection encompasses more than information security - it covers how the organization collect, use, disclose and store data. 

These processes must be governed with the right policy, with risks assessed, adequate protection measures to mitigate the risks, sustained effort and an effective response plan, which you hopefully have in place!

 Increasingly, it becomes evident that data protection and Governance, Risk Management

& Compliance (GRC) are converging due to high-profile breaches reported recently. The breaches, especially from the organization’s third-party vendors, imply that there are gaps or risks within the GRC initiatives in the organization that was not addressed and was exploited by hackers.

It is thus, critical for organizations to understand the nuances and the data protection laws better to navigate the change in the environment, from business planning to effective engagement with stakeholders to managing the risks in the organization more effectively. 

Given this situation, it is good to see that the National Privacy Commission (NPC) is pushing for amendments to the Data Privacy Act.

NPC Commissioner Liboro said the House of Representatives committee on information and communications technology approved the substitute bill to amend the DPA which would give the NPC additional powers such as the authority to issue summons, subpoenas, contempt powers, and to impose administrative penalties.

Under the bill, there are provisions redefining sensitive personal information to include biometric and genetic data and political affiliation and clarifying the extraterritorial application of the DPA when processing personal data of Philippine citizens and/or residents is concerned.

The proposed amendments likewise cover changes in criminal penalties under the DPA to give the courts the option to decide on either imposing imprisonment or slapping fines.

 “In the last five years, the NPC has laid down privacy in the Philippines with a clear roadmap. In our drive to become a data privacy resilient country, we have adopted a responsive regulatory approach characterized by raising awareness, strict compliance, and enforcing the law. To do this, we find a need to amend the current DPA to keep up with the changing times,” Privacy Commissioner Raymund Liboro said.

It is obvious that consumers have to become more aware of how to exercise their data-subject rights. They may need experts who offer consumers an efficient and automated way to secure those rights as a service. It is good that these experts are available, to assist management, to train the employees and to explain what automation tools are available to protect organizations from data breaches.

Should you need assistance in training or in the selection of automation tools for Data  Protection Officers (DPOs) and beyond, let me know; you can reach me at [email protected]