Startup Guide: Data Privacy
Data Privacy has become a very big deal in recent years.
In the Philippines, the governing law is the Data Privacy Act. Contrary to popular belief, Philippine startups will only have to comply with General Data Privacy Regulation (GDPR) if you collect data from users in the European Union. Other laws to be aware of are the California Consumer Privacy Act and California Privacy Rights Act which may apply if you intend to operate in California, United States.
The first thing to remember is that if you are a startup with a website that collects Philippine user data is that you are considered a personal information controller. You may have gotten this personal information through data voluntarily submitted to you through user signups or through user actions taken on your platform.
On the other hand, your website users are called data subjects.
Your primary job under the law is to protect the rights of these data subjects. These include the right to be informed of when his/her data is being processed.
Remember, you cannot collect all types of data. The data must be necessary with your declared legitimate purpose. There are also certain information called sensitive personal information which are especially protected. Such information includes information on the race, ethnicity, age, marital status and religion of the data subjects.
Merely asking for consent is not enough to comply with our Data Privacy Law.
You are required to designate Data Protection Officers (DPOs) which are required to be regular employees of the company or if contractual, required to stay at least 2 years. The DPOs should ideally have expertise in both data protection regulations and the startup’s data processing operations. More details on DPOs can be found here.
Some of the other requirements are as follows:
- Implementation of appropriate data protection and processing policies
- Description of data processing system with records
- Selection and supervision of employees who have access to personal data
Lastly, if you process the sensitive personal information of at least 1,000 individuals or employ at least 250 persons, you are required to register with the National Privacy Commission.
By complying with Data Privacy regulations, not only will you protect yourself from legal risk but you can build trust with the users who use your platform.
Digest is a one-stop shop for Philippine laws, lawyers, and contracts.