By Jenina P. Ibañez, Reporter

COMPANY data protection measures in the Philippines are falling short while risks increase during the pandemic, a business consultancy firm said.

Most Philippine companies comply with data protection laws by appointing officers in charge of data and awareness about these measures have increased in recent years. But data protection remains low among organizations’ priorities, Straits Interactive Pte. Ltd. Country Manager Edwin A. Concepcion said in an online interview on Thursday.

The Singapore-based firm said Philippine data protection measures are improving compared to its Southeast Asian counterparts, but there is “still a lot to be done.”

“(Organizations) are very aware that yes there is a law that they need to comply with, but in terms of priorities it’s not on the list, especially now with our situation in the pandemic.”

The pandemic has heightened the risks on the targeting of individuals and organizations through social media, phishing, whaling, and other forms of social engineering, Mr. Concepcion said.

A whaling attack is the infiltration of an organization by someone pretending to be a senior member, while phishing attackers gain sensitive information by masquerading as a trusted organization.

“What we have seen in the pandemic, we were all forced overnight to go digital and work from home. So a lot of organizations were not actually prepared to respond to these kinds of incidents,” Mr. Concepcion said.

He said the entire organization should be accountable for ensuring data protection, not just the officer in charge. Data protection officers are not always given the appropriate training and funding to protect data, he said.

“We’ve seen a lot of problems because of that…. The company should take it from the point of view of risk management. Of course organizations are pursuing business or pursuing risks or rewards…so it’s very critical that the compliance efforts should, the tone should always come from the top.”

Data protection compliance, he said, must include risk assessments and must be adapted to the business processes of the specific company.

The National Privacy Commission in May released guidelines for data security for work-from-home operations, encouraging institutions to use only authorized software and organization-issued devices.

When using home-based Wi-Fi, the commission said to ensure reliable internet connection and to avoid visiting malicious web pages.

While there has been a spike in interest in learning about data protection during the pandemic, Mr. Concepcion said that this has not yet translated to engagement in data protection services.

“In so far as management priority, that’s a totally different matter. Probably during the pandemic times, that’s quite understandable but again the priority is still not there. We don’t see the top management getting involved in the data protection of their companies,” he said.

“They have very high interest, high awareness, but spurring them into action is a low priority.”