BCDR: a Key Step in Data Privacy Compliance
Have you read Republic Act 10173, the Data Privacy Act of 2012? Section 20 states that “The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction”.
How confident are you that your current BCDR (business continuity and disaster recovery) measures are adequately protecting the data which your organization has collected? Accidental destruction of data can happen due to fires, earthquakes, floods, or even human error. Unlawful destruction of data can happen due to theft, or when malicious software, such as ransomware, encrypts your data. This is what happened on 12 May 2017, when ransomware affected 81 out of 236 National Health clinics in England. This led to the cancellation of over 19,500 medical appointments, and the re-scheduling of more than 600 surgeries.
To prevent – and recover from – such occurrences, organizations are seriously re-evaluating their BCDR strategies and control frameworks. An essential first step should be the conduct of a risk assessment, which is meant to answer the following question: “What is the worst thing that can happen to us, as an organization, if this data were to be destroyed, altered, or wrongfully disclosed”? But more importantly, one also needs to ask: “What is the worst thing that can happen to those who own the data, if this data were to be destroyed, altered, or wrongfully disclosed”? In the example of the ransomware attack on the UK clinics, the consequence to the clinics was painful but surmountable – they were forced to upgrade their systems. The consequence to the patients was much more severe – they had to suffer serious delays in getting medical treatment!
If your organization were to permanently or even temporarily lose data, would your organization be able to bounce back from the loss of trust and reputation? Would you be able to hold on to your job? And perhaps most pertinent: would you be able to defend your actions (or conversely, the failure to implement reasonable and appropriate measures) to the National Privacy Commission?
The NPC was created by Section 7 of the Data Privacy Act of 2012, and they have the power to issue a cease and desist order if it discovers that your organization is not doing what it should to protect data against “accidental or unlawful destruction”. The NPC can also award indemnity on matters affecting any personal information – so your organization’s failure to protect data may result in the payment of damages to those who were affected. The NPC can issue a compliance order, compelling your organization to take action – for example, implementing a mirror site – in order to protect personal data. Finally, the NPC can recommend to the Department of Justice the criminal prosecution and imposition of penalties, as was done for the “Comeleak” voter database breach of 2016.
What would be the business and financial consequences if your organization were issued a temporary or permanent ban on processing? Or if your organization were forced to pay damages to hundreds, or even thousands, of data subjects whose data you failed to protect? Does your organization have enough financial reserves, or perhaps a cyber-liability insurance policy, to weather such a storm?
But then, why wait idly for the storm to arrive? As the saying goes, “a stitch in time saves nine”. Perhaps it’s time to review your current BCDR strategy, and to ask yourself – is your current BCDR strategy good enough to steer your organization away from such storms and disasters?
About the Author
Damian “Dondi” Mapa is an expert on information & communications technology (ICT) and public policy. He has served in three administrations of the Philippine government: as a Commissioner in the Commission on ICT under President Gloria Macapagal-Arroyo, and as Deputy Commissioner in the National Privacy Commission (NPC) under President Benigno S. Aquino III and President Rodrigo Roa Duterte.
He is a co-author and signatory of the Implementing Rules and Regulations of the Data Privacy Act of 2012 as well as various NPC circulars and advisories. In the private sector, Mr. Mapa has served on the Philippine management team of the following ICT companies: Microsoft, Hewlett-Packard, Dell, Unisys, HatchAsia, James Martin & Co., and Andersen Consulting.