Regulator Updates: NPC, July 2020
I was fortunate enough to attend the Data Privacy Council meeting last July 30, where the NPC shared updates on what they've been up to and their plans for the remainder of 2020. Here are the more important items from the presentations:
DPO Registration. As you may already know, the NPC extended the validity of the DPO registrations since the new NPC portal is not yet ready (among a host of reasons for the extension, I am sure). Note though that the NPC continues to accept and process applications for DPO registration. These can be submitted via email. Please refer to the NPC website for more information.
Privacy Sweeps. The NPC continues to do Privacy Sweeps, and they have completed 175 sweeps in Q2 2020. How do they choose which organizations to examine? Here are some of the things they look at:
Level of risk to the rights and freedoms of data subjects;
Whether NPC has received reports/complaints on the PIC/PIP;
Whether the PIC/PIP is registered;
Whether there is personal data traced to the PIC/PIP that is available online;
Whether the PIC/PIP is part of a sector that has seen a lot of data breaches/complaints.
Personal Data Breaches. In the first half of 2020, the NPC received 120 personal data breach notifications. In June, there was a surge of data breach notifications in the Education sector. Because of this, the NPC met with stakeholders in the sector and reminded them to invest in data protection systems. The NPC noted the inability of schools to detect security incidents. Some data breaches were discovered only after the personal data of students became available online.
Hearings. The NPC clarified that they only suspended their face-to-face hearings but will continue to hold hearing henceforth via video-conferencing. The NPC will be issuing supplemental rules of procedure/guidelines to cover hearings via video-conferencing.
Electronic filing. Electronic filing of complaints and other pleadings is encouraged by the NPC. For filings related to cases, please do not forget to include the case number in the subject line to ensure your filing does not get lost.
ACE Certification. NPC will be working on accreditation of training professionals for their ACE certification program. The NPC plans to hold a Train-the-Trainers training program before giving the accreditation exam.