The Philippine Privacy Trust Mark (PPTM), which was recently launched by the National Privacy Commission (NPC) aims to increase trust and confidence in businesses and government agencies by providing the highest level of assurance on data privacy compliance and secure cross-border data transfers.
The chair of the National Privacy Commission has encouraged all personal information controllers (PICs) and processors (PIPs) to pursue certification now that PTTM is open to all types of businesses. According to him, PPTM also allows customers to make better-informed choices and have more control over the personal data obtained from them, “By helping data subjects identify organisations they can entrust their data, we are also encouraging consumers to be more data privacy-conscious and to exercise their rights more prudently.”
Our launch today of PPTM comes at an opportune time as we aim to fully embrace digitalisation for our economic recovery. This won’t be achieved without strengthening the foundation of trust in every action and transaction we make online.
– Raymund E. Liboro, National Privacy Commission (NPC) Chair
The launch coincides with the publication of the full PPTM Certification Scheme guidelines, which detail the requirements and processes for achieving certification, including the need for PICs and PIPs to develop, implement, and continuously improve their management systems, which is a requirement for certification.
The certification process will analyse an organisation’s proof of operational compliance with the Data Privacy Act through risk management, as well as its demonstration of having the appropriate organisational, physical, and technical security measures in place to maintain data security. The guidelines also adequately accommodate cross-border data transfers, demonstrating NPC’s desire to match its compliance systems with worldwide practices and standards.
The NPS chair emphasised that accredited PICs and PIPs can more readily integrate themselves into global value chains by branding secure privacy solutions and gaining more clients, customers, and business partners. In addition, the NPC pointed that while the mark is voluntary and only applies to management systems, firms must guarantee that all specified products, services, initiatives, and projects follow the data privacy principles of legitimate purpose, transparency, and balance throughout the data lifecycle.
The certificates have a three-year validity period and can be renewed. Those who have been certified may still be suspended if they “consistently” fail to meet conditions, such as demonstrating continuous progress.
If an issue is not resolved within six months, the certification may be revoked. When a certified organisation is found to have violated the terms of the audits or does not meet the declared standards for its management systems, the certification will be revoked. The PPTM Certification Scheme includes guidance for individuals who want to assess PIC and PIP applicants, certify their management systems, and renew their certification.
OpenGov Asia reported, towards the end of 2020, a global software provider in the Philippines launched a service that allowed its clients to analyse data in the cloud or on third-party platforms without ever decrypting it. Companies can use fully homomorphic encryption (FHE) to create a testing environment for developing prototype applications without exposing confidential data.
Current encryption techniques protect data while it is in storage or transit, but they create a gap that exposes data to exposure and theft when it is decrypted. Although FHE is still a new technology, it is already filling a gap in the majority of today’s encryption solutions.
Next-generation encryption makes it simple to keep your data out of the wrong hands. It is always active, encrypting all of your data from the moment it is created. And the data is always encrypted, even when transferred to a shared folder, USB stick, or the cloud. Moreover, next-generation encryption also communicates with the rest of your IT system, sharing and acting on security intelligence. If your endpoint detects a threat, the encryption keys are automatically revoked, ensuring that your data remains secure even if hackers gain access to your network.
