THE implementation of the General Data Protection Regulation (GDPR) in the Philippines will benefit more organizations as this will enhance their transactions and dealing
with European Union (EU)-based businesses and citizens because they have data privacy and transparency measures, an executive said.

“We see the GDPR pushing other countries, including the Philippines, to improve their respective data privacy regulations. It is effectively making state-of-the-art data security
the new standard across the globe,” Trend Micro Director for Technology Marketing Myla Pilao said in a press statement.

The new regulation applies to all organizations that operate in the EU and/or processes the personal information of EU citizens, regardless of their size or location. In this
light, companies based in the Philippines but engaged in businesses involving EU citizens must comply with the regulation.

The GDPR, which took into effect last May 25, requires companies and other organizations operating in the EU, wherever they are based, to practice greater transparency and vigilance in accessing and collecting consumers’ personal data.

“GDPR is a good development for both users and companies alike,” Pilao said. “For one, compliance with the stricter rules on data protection spurs consumer confidence amid
the growing threat of cyber security breaches. It also levels the playing field for companies by deterring unfair access to consumer data.”

GDPR is regarded as the most significant change in data-privacy regulation in 20 years, which will see drastic changes in the way of doing businesses worldwide. The
regulation draws greater transparency from organizations that process personal information and, at the same time, grants consumers more control over their data.

“GDPR essentially empowers consumers to determine what data they will share, who will have access to such information and how companies can process and use
them,” Pilao said. “Accordingly, consumers can better protect themselves online.”

As consumers wield more control over their data, Pilao said user consent becomes an important factor for data processing to take place or even to continue.

Companies, as data controllers, must therefore use “concise, transparent, intelligible and easily accessible” forms when asking consumers to agree to privacy terms and conditions or data collection and processing. They must also disclose the purpose or legal grounds for data processing, the categories of personal data collected, possible recipients of the data and the period when the data will be stored.

Consumers can restrict data processing if certain conditions apply. Addressing the automated way personal data is used for decision-making, the GDPR adds a provision where data subjects can opt out of automated data processing, including profiling.

GDPR also allows consumers to correct any information they have previously allowed to be collected, pursuant to their “right to rectification.” Meanwhile, they can exercise
their “right to erasure” or “right to be forgotten” to delete their personal information from data controller’s database without undue delay.

In addition, consumers can receive and transmit, in a common and machine-readable format, their personal data to another company, through the “right to data portability”
provision of the GDPR.

“As they wield more control, consumers share more responsibility of knowing and protecting their data, making them partners of the organizations with whom they have entrusted their data,” Pilao said.