Privacy Management Goal: Resilience or Maturity

Resilience is the ability to adapt and recover from catastrophes, hazards or mishaps, whereby one usually learns how to mitigate, if not eliminate, the risks of a similar event arising in the future.

Judging from online sentiments expressed recently, an increasing number of Filipinos have grown tired of being called resilient. Intended as a compliment, a careful examination of the context Filipinos are often associated with such quality explains this shift in attitude. It reveals that people are tired of simply outlasting problems. They are no longer content with recovery, while seeing the same recurring issues with no signs of significant improvement in the way they are dealt with.

Consider this: the Philippines goes through an average of 20 typhoons every year. Occasionally, earthquakes and volcanic eruptions also occur, not to mention the droughts, landslides, and storm surges that pay its shores an unwelcome visit. One would think that, by now, the country should already be a paragon in disaster risk reduction and management, exuding best practices emulated by other countries. But that’s not the case. As individuals and as a nation, it’s hard to argue that the country is now more capable of facing disasters than in the past.

Organizations confront a similar dilemma when dealing with data protection. It’s been 6 years since the Data Privacy Act (DPA) became law, and more than two years since the establishment of the National Privacy Commission (NPC). Ten agency issuances and a slew of information dissemination events later, there remains a nagging sense that few have made the effort to meet the demands of data protection, especially the provisions of the DPA. This, despite the notable increase in the number of suspected data breaches making the headlines, and even with companies regularly getting meted with fines for violating data protection laws in other countries.

The reason is that data privacy is still not a priority in the country. On paper, it feels like it is. But many remain unaware of the law and what it entails. Among those in the know, most aim only for paper compliance and make no effort to cultivate a culture of privacy within their respective organizations. They view it as an additional burden to be bundled with many other compliance requirements imposed by government.

This results to immature organizations in terms of their capacity to appreciate data protection and the things they need to do to embed it in their structure and operations. In my work as a data protection consultant, the following are just a few of the common problems I found most organizations are afflicted with: (1) poor or no documentation of policies and procedures; (2) dysfunctional organizational structures; (3) data protection officers who are clueless about their duties, or are simply burdened with too many other tasks; and (4) lack of protocol in case of a data breach.

To address these problems and more, an organization has to have a robust and comprehensive Privacy Management Program (PMP). A PMP is a strategic compliance framework that guides an organization and its people how to lawfully and fairly process personal data without compromising their legitimate interests.

Resilience is certainly one of the qualities of a good PMP. But it should not be the main benchmark. If anything, it should be maturity or the way a Program goes beyond paper compliance and aims for an accountability model designed to address every foreseeable data protection issue or concern.

A mature PMP is necessary to a successful business today, especially those whose core operations involve personal data processing. It not only addresses known risks, but also proactively assesses data processing systems to mitigate unexpected ones. Its other benefits include: (1) boosting clients’ trust; (2) minimizing risks while increasing competitive advantages; (3) helping an organization demonstrate its compliance with the law to regulators; and (4) allowing it to meet global data protection standards.

To achieve such state, an organization should keep the following tips in mind:

• Evaluate the privacy landscape regularly. Identify the data protection laws and industry standards your organization needs to adhere to. Some companies are covered by more than one data protection law, depending on the countries or regions they operate in, the industry they belong to, and/or the nationalities of the people whose personal data they have custody of. As such, regularly monitoring such laws and their requirements is key.
• Ensure buy-in from top to bottom. Executives still set the tone even when it comes to data protection. If decision-makers do not value data privacy, then any attempt to translate it to policies and measures will be futile. Find a privacy champion at the executive level who will sponsor and help advocate data privacy as a core value of the organization. Also, let everyone in the organization know their role and value in data protection, because an organization is still only as strong as its weakest link.
• Emphasize privacy return on investment. To sustain a good PMP, it is important to make stakeholders see that data privacy is a worthwhile investment. While it does not generate revenue, it does help prevent loss (massive ones, if some cases). Let others consider how much a downtime would cost the organization, how much cost a data breach would entail, and how poor data protection could lead to loss of clients.
• Establish an effective data protection office. Today, it is common to encounter companies merely designating an DPO, which essentially means giving a current employee more work on top of other existing obligations. No additional resources are provided. Salary remains constant. This is a recipe for disaster. Only a permanent data protection office with sufficient manpower and resources can provide the assurance that an organization is on top of all data protection issues and concerns.
• Provide effective templates and establish best practices. Templates and guides are extremely useful when establishing a culture of privacy, especially for organizations whose personnel are still grappling with the concept of data privacy and what it entails. One need not recreate the wheel when developing these tools. It is best for organizations to adopt and tweak existing templates. Measures that have proven effective should also be adopted as best practices and applied consistently.
• Develop and implement documentation. Properly documented policies and procedures allow an organization and its personnel to have a reliable source of reference when dealing with complicated issues. This applies with equal importance to data protection. Taken together, these policies and protocols make up an organization’s PMP.
• Learn from mistakes—yours and those of others. There is no perfect organization, no impenetrable security system. Data breaches happen every day, regardless of the amount and quality of security measures put in place. Acknowledging this doesn’t justify being less careful (since things happen anyway), but reminds us to learn from each experience—even those of others—in order to recalibrate one’s PMP and make it better prepared for a similar problem in the future. The regular conduct of so-called Privacy Impact Assessments helps.

Now, developing a PMP is a task that will never be completed. It requires a continuous evolution of policies and measures, and regular improvements meant to address internal and external factors. A PMP that successfully does all these on a regular basis may sometimes be described as resilient. To be fair, that would not be wrong or inaccurate. That, however, is more of an outcome than a quality worth emulating. Hence, I would suggest focusing instead on the quality that makes that desired outcome a reality, and that would be maturity.

Resilience could be a person who survives because of a high tolerance for pain and failure, and not because he or she does anything to change his or her circumstances for the better. We shouldn’t want that. And in fact, more and more Filipinos don’t want that either. Instead, we should grow and learn, always aiming to become better versions of ourselves. This is true for data privacy as to every other endeavor.

Maris Miranda is a Certified Information Privacy Manager. A former member of the Privacy Policy Office of the National Privacy Commission, she now serves as a resource speaker and consultant on privacy and data protection.