By Arjay L. Balinbin

VARIOUS companies in the Philippines are still in the infancy stage of implementing their data protection and data privacy obligations, placing them at a high risk for data breaches, Singapore-based technology company Straits Interactive Pte. Ltd. said.

“As of now, based on our assessment, a lot of the organizations in the Philippines are still in the infancy stage of implementing a data privacy and information management program,” Straits Interactive Country Manager for the Philippines Edwin A. Concepcion told BusinessWorld in a recent phone interview.

A privacy management program by companies ensures their compliance with Republic Act No. 10173, also known as the Data Privacy Act (DPA) of 2012, according to the National Privacy Commission (NPC).

Mr. Concepcion said compliance with the DPA, which promotes and upholds individuals’ data privacy rights, reflects a company’s commitment to building trust with its client and employees.

In 2019 alone, the NPC received more than 2,000 complaints of alleged harassment and shaming by some mobile online lending operators, he said.

He added that such incidents happen because users wittingly or unwittingly allow privacy-intrusive applications to collect excessive information from them.

The Securities and Exchange Commission recently warned the public against investing in at least 14 groups that are allegedly taking advantage of the coronavirus disease 2019 (COVID-19) crisis by luring individuals into illegal investment activities.

One of them is a text scam that uses the name of President Rodrigo R. Duterte. It works by sending text messages to people that they have won P750,000 in an electronic raffle, then asks for their personal information to claim the prize.

Mr. Concepcion said what business organizations should do is train their employees on data protection.

“Companies need to have a sense of ownership, responsibility and accountability. They typically only invest in technical security, but data security should be done at three levels such as employee awareness, physical security, and administrative, which means that there must be an individual in charge or group in the organization who will enforce data protection,” he explained.

Internet security firm Kaspersky said that companies in Southeast Asian countries, including the Philippines, are starting to prioritize investing in their cybersecurity capabilities, with many planning to raise their IT security budgets over the next three years.

Kaspersky’s 2019 survey with nearly 300 IT business leaders in the region showed that 34% of the companies are worried about data loss and being exposed to a targeted attack.

The IT security firm said 31% of such companies are concerned about electronic leakage of data from internal systems.

Mr. Concepcion said having trained and aware employees is the best defence.

“The most common issue that arises from the work-from-home setup and using all these technologies available now is the excessive collection of personal information,” Mr. Concepcion said.

He also noted that such data are being used for multiple purposes without the subject’s consent.

“Also, a lot of companies store and retain information, creating a very high risk for personal data breaches and leading to unauthorized access and disclosure,” he continued.

Early this month, the Department of Information and Communications Technology (DICT) urged the public to take measures to be safe when using video and teleconferencing applications amid security issues that have emerged.

The DICT also advised users to install firewall software from trusted firewall security companies and free browser extensions that block tracking activities of applications such as Chrome’s AdBlock Plus and Firefox Ad Hacker.