CCAP to enforce strict data protection policies in 2018

The Contact Center Association of the Philippines (CCAP) is assuring regulators of its full commitment to cooperate in the enforcement of strict policies that aim to help protect data of all stakeholders in local contact centers’ operations.

This was the main message of the industry group during its recent CEO Forum, a year-opener conference for all executives of its member organizations. CCAP reiterated its commitment to guide the industry in complying with new rules that uphold data privacy and cybersecurity locally and internationally.

One of the highlights of the CEO Forum was the upcoming enforcement by the European Union (EU) of the General Data Protection Regulation (GDPR) on May 25, 2018. That policy would apply to all businesses offering services in any of the 28 EU-member countries.

CCAP initiatives
“We’ve lined up important activities in 2018,” said CCAP President Jojo Uligan. “There will be a lot of initiatives that revolve around talent development. Our business is about our people so we need to have those activities for managers, team leaders, agents, and even executives.”

Among those activities is a workshop in April that would orient contact center managers about GDPR compliance. The subject will also be tackled in upcoming CCAP programs for C-levels, managers, team leaders, and agents. Those activities will culminate in Data Privacy Asia, which is slated in September.

“Trust is the biggest differentiator in businesses today,” said National Privacy Commission (NPC) Chairman Raymond Liboro. “You can be No.1 in your field but if you do not make adjustments in this digital economy, your brand and business will suffer. Invest in trust. We are not helpless.”

National Privacy Commission (NPC) Chairman Raymond Liboro

Data Privacy Act
Thus, NPC is strictly enforcing compliance of government agencies and businesses, particularly business process outsourcing (BPO) firms, with the Data Privacy Act, which aims for protection of personal information. Provisions of the Act also align with international regulations, including those of EU and other global economies.

Under the legislation, all agencies and businesses that process sensitive information of consumers must notify NPC and affected entities of any monitored or possible breach of data by unauthorized parties within 72 hours after discovery of such incidents.

Critical to this policy is the appointment of data protection officers (DPOs) by each agency or business. The DPO will be key to implementation of a privacy management program, which adheres to a 32-point checklist set by the NPC.

Strict enforcement
The commission is set to inspect each government agency and BPO to check if there is a DPO who makes sure its required privacy measures are implemented. Failure to do so, or if a security breach is proven to be intentionally omitted or concealed, would subject violators to a prison term (ranging from a year to 5 years) and a fine of about P500,000 to P1 million.

Liboro warned that NPC’s penalty is significantly lower compared to non-compliance fines to be implemented by EU, which could go as costly as 4 percent of annual revenue of a BPO or about €20 million ($25 million), whichever is higher.

So far, there are 4,712 government agencies and companies operating in the country that have already committed to register their DPOs with the NPC. Liboro reminded that the privacy regulator has set a final deadline of March 8 for all other agencies and firms to do so. He stressed that this deadline would not be extended as it was already lengthened from an original September 9, 2017 deadline.