THE country’s corporate regulator has ordered capital markets, listed companies, and other institutions to comply with data privacy laws following reports of security breaches in both local and international firms in the previous months.
The Securities and Exchange Commission’s (SEC) Markets and Securities Regulation Department said in an e-mailed statement that it has required the Philippine Stock Exchange (PSE), the Philippine Dealing & Exchange Corp. (PDEx), listed firms, and other market institutions to submit compliance reports within 30 days.
The commission noted that aside from the Data Privacy Act (DPA) of 2012 and the European Union General Data Protection Regulation (EU GDPR), these institutions must also follow the 2015 Securities Regulation Code (SRC), which mandates that market participants should have a comprehensive information technology plan.
The SRC also states that the institutions’ information technology, trading, business continuity, disaster recovery and risk management systems must be reviewed and audited by an independent firm on a regular basis.
“These are designed to ensure that trading in the market are efficient, not interrupted and not susceptible to glitches, as well as for the protection of personal and other data against any accidental or unlawful destruction, alteration and disclosure, and against any other unlawful processing,” the SEC said.
As per the DPA, personal information controllers (PIC) or personal information processors (PIP) with more than 250 employees must register with the National Privacy Commission. Those with less than 250 employees must still register if their processes likely pose a risk to the rights and freedoms of data subjects, and if they include sensitive personal information of at least a thousand individuals, among others.
PIPs and PICs are further expected to produce a privacy manual and form a privacy management program as part of their corporate governance responsibilities.
In addition, corporations which have been issued secondary licenses by the SEC must determine whether they are covered by the DPA as a PIP or PIC, and then comply with the rules.
Meanwhile, the EU GDPR covers companies outside the EU which offer goods and services or monitor the behavior of individuals in the EU.
In its letter to the PSE dated Oct. 5, the SEC requested the bourse operator to also inform its trading participants, listed issuers, and other stakeholders about the requirements of data privacy laws and data protection regulations.
“The trading participants, listed issuers, and other stakeholders of PSE are likewise required to submit such report,” the SEC said.
The SEC’s order came amid the recent data breach which affected two online stores of listed company ABS-CBN Corp. The media giant temporarily shut down the online stores which may have exposed the personal and financial information of more than 200 customers.
The commission also cited its counterpart in the United States, which slapped a $1 million fine against broker-dealer and investment adviser Voya Financial Advisors, Inc. for violating the Safeguards Rule and the Identity Theft Red Flags Rule. The violations supposedly stemmed from weaknesses in its cybersecurity procedures. — Arra B. Francia