Adopting VCA Techniques to promote Data Privacy in Retailing

96

By: Atty. Paul A. Santos
Chairman, Philippine Retailers Association
President, Picture City

Republic Act 10173 or the Data Privacy Act of 2012 was enacted with the aim to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.

Furthermore, according to the National Privacy Commission website, it protects the privacy of individuals while ensuring free flow of information to promote innovation and growth; regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and ensures that the Philippines complies with international standards set for data protection through the NPC.

The law covers both the public and private sector, including the retail industry, which due to its nature, processes a great volume of information—mostly from its customers or clients.

General obligations imposed by the Data Privacy Act
 Adhere to the data privacy principles of transparency, legitimate purpose, and proportionality.
 Implement security measures.
 Uphold data subjects’ rights, such as the right to information, right to object, right to access, right to correct, right to erase, right to damages, right to data portability, and the right to file a complaint.

What is a Privacy Impact Assessment?
For a company to be compliant to the DPA, there are several steps that need to be undertaken according to the NPC. One of which is the Privacy Impact Assessment or PIA, which helps you manage risks to data privacy caused by the processing of personal data. A PIA can be undertaken on the entire company or on several programs, processes, or projects that the company conduct.

Through a PIA, the company can identify the personal data that are processed as well as the processes and existing measures for data protection, among others.

How to use value chain analysis in a Privacy Impact Assessment?

A few months back, the PRA and NPC have partnered together to conduct the DPO 21: Data Protection in Retail and Manufacturing. Are You On The Right Track?” I had the opportunity to share with the attendees from the retailing and manufacturing industries the importance of a Value Chain Analysis in promoting data privacy in retail. Let me share with you, here:

By adapting a value chain analysis, you can identify sub-activities for each primary and support activity. This can help the company identify links. Linkages occur when the way one activity is performed affects the cost or effectiveness of other activities.
After which, you can evaluate how the acquisition of this ordinary, sensitive, and privileged personal information is supposed to add value to both firm and customer. Then, weigh the costs and risks to be assumed in this effort versus the anticipated benefits.

Once you have identified these sub-activities, it’s time to adapt the VCA in identifying the personal information you acquire, along with the processes on how such information is obtained.

 Discovery phase: Identify the various sub-activities of the firm’s primary and support activities. Then, determine which of these sub-activities acquire ordinary, sensitive, and privileged personal information. Your objective is to create a data inventory that helps you understand what kind of information your firm processes and where all of that resides. This way, you can determine how all this information is shared inside (and outside) the firm.
 Analysis phase: Evaluate how the acquisition of this ordinary, sensitive, and privileged personal information is supposed to add value to both firm and customer. Then, weigh the costs and risks to be assumed in this effort versus the anticipated benefits.

Data in Retail

Relevant data can very much help retailers in engaging with their customers and offer the right kind of services and products they need. However, it is the retailers’ duty to protect these data from breeches as a measure to protect both the company and the customers.

By adapting a VCA in your Privacy Impact Assessment, you can seamlessly anticipate and prepare for potential problems caused by data processing, thus lessening risks and harm to both parties.

 

The article is first published on Philippine Retailing 2019 Q2 issue.