Organisations in the Philippines should be used to the Data Privacy Act, which came into effect in 2016. However, many organisations now face a new challenge in the form of the EU General Data Protection Regulation (GDPR).
Although the GDPR is an EU law, it applies to any organisation in the world that collects EU residents’ personal data. This means that any organisation outside the EU will have to balance GDPR compliance with their own country’s data protection laws. This will be particularly tough in the Philippines, as its data protection laws are as intricately detailed as the GDPR. On the plus side, any organisation that is already compliant with the Data Privacy Act will have less work to do to meet the GDPR’s requirements.
This blog compares some of the most important terms and requirements of the GDPR with the Data Privacy Act, helping organisations identify how to approach GDPR compliance.
The definition of personal data
Data Privacy Act: Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
GDPR: Personal data means any information relating to an identified or identifiable natural person.
Purpose limitation
Data Privacy Act: Personal data should be collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection and later processed in a way compatible with such declared, specified and legitimate purposes only.
GDPR: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation
Data Privacy Act: Personal data shall be adequate and not excessive in relation to the purposes for which they are collected and processed.
GDPR: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Access and correction
Data Privacy Act: The data subject has the right to dispute the accuracy of the personal data and have the personal data controller correct it immediately and accordingly unless the request is unreasonable.
GDPR: The data subject has the right to know what personal data concerning them is being processed and to access the data and any information about the processing, including what categories of data are processed and whether the data is being shared with third parties. They also have the right to request the erasure of illegitimately collected data and the rectification of inaccurate data.
Get help preparing for the GDPR
Organisations that went through the compliance process for the Data Privacy Act are no doubt capable of complying with the GDPR, but it can be daunting to learn a whole new set of terms and requirements, particularly with the added difficulty of remembering the differences between the two laws.
Those in charge of GDPR compliance might benefit from reading our book of the month, EU GDPR – A Pocket Guide.
Written by IT Governance’s founder and executive chairman, Alan Calder, this guide is the perfect primer on the GDPR, explaining the terms and definitions used in the Regulation, its key requirements and how you can achieve compliance.