top of page

Should companies take Data Privacy compliance seriously?

Updated: May 2, 2023

Jun Malacaman

Data Privacy Advocate and Consultant

"Should companies take Data Privacy compliance seriously?"


The alternative, if data privacy compliance is taken lightly, could be devastating for the company and its people. The delays would have already cost the company, more money, time, and effort, with the flag of compliance farther out on the horizon, still.

The risk of higher penalties too would have escalated by now. Non-compliance can result in criminal acts punishable in the data privacy law or the Data Privacy Act (DPA) 2012. Penalties for non-compliance, are enforced by the National Privacy Commission (NPC) thru its Implementing Rules and Regulations (IRR) released in 2016.

“Responsible officers” of a corporation, shall be recommended for prosecution by the NPC if thru their participation in or by their gross negligence, allow the commission of a criminal act penalized under the DPA 2012. Penalties for crimes under the DPA could go as high as Php5 million in fines and up to 7 years imprisonment.

What constitutes gross negligence?

Extreme indifference to or reckless disregard for the protection of personal data by the company’s leadership could be taken as gross negligence when applied to data privacy. That includes the continuing inaction of any Data Protection Officer or DPO as the appointed lead to meet the company’s compliance goals and objectives as required by law.

For the company’s management, gross negligence could be the consistent failure to take drastic action towards compliance over the past 4 years of the DPAs existence; and the NPC’s insistence on corporate accountability for data privacy compliance from all organizations in the private and government sectors.

Data privacy compliance is not easy. And that is the reason companies should tap the best resources available, whether in-house or from the outside to meet this new challenge. And to undertake this data privacy compliance as a major project that has to be done, not in another 4 years, but if possible, in the next 4 months.

The National Privacy Commission (NPC) has painstakingly laid out more than enough guidelines and advisories to help companies comply. Companies should just get their people to step up: to understand, comply and implement these guidelines and procedures to comply with the 5-Pillar proof of compliance that the NPC has provided since 2017.

Should companies take data privacy compliance seriously? That is no longer the question.

The question now is can they find a way to get their compliance? SOONEST!

For more on Data Privacy, click the banner below:

117 views0 comments


bottom of page