Data Security and Privacy 

Volume 1 Issue 2 | 16 May 2018 Digest

Official newsletter of Cebu Pacific's Data Privacy Office

Rounding Up...

First EU cybersecurity law takes effect - with new fines for misbehaving companies

Network and Information Security Directive, the first cybersecurity law to cover the entire European Union, has now gone into effect and will require entities ranging from water and energy services to search engines and cloud computing service providers to report any cybersecurity breaches to national authorities, EURACTIV reports. Companies will face fines if they don't report breaches. So far, only the UK government has announced the level of its fines under the law - up to £17 million, or €19 million. A European Commission official said last week that Brussels expects other countries to introduce similarly high sanctions.

Which Jurisdiction: European Union

Which Industry is Covered: Companies operating "critical infrastructure" like banking, transport and water management systems, as well as digital services including cloud providers or online marketplaces

What Business Should Do:

  1. Review incident reporting, especially, for incidents involving cyber attacks
  2. Perform drills (e.g., table-top exercise) to ensure that every assigned individual knows the specific responsibility

NPC orders Wendy's PH to inform users affected by data breach

The National Privacy Commission (NPC) issues order obliging Wendy's Philippines to promptly notify data subjects affected in the breach and wholesale leak of its database last April 23.

Report says that Wendy's site is manipulated by "yet unknown persons" and that around 82,150 records of customers and job applicants are obtained exfiltrated, including personal details such as names, contact numbers, home addresses, hashed passwords, transaction details, and mode of payment of customers among others. "There is a real risk of serious harm to the affected data subjects; the data is not merely incidental to the breach." the NPC said in its order.

According to NPC, representatives of Wendy's were not able to provide further details regarding the data breach, although Wendy's admitted that earlier attempts of implementing security measures were foiled when information technology officers of the company resigned "before any of the measures were implemented."

Wendy's is an American fast-food chain founded by Dave Thomas in Columbus, Ohio. The first Wendy's hamburger restaurant in the Philippines opened on December 8, 1983, and it is among the top 500 corporations in the country operating 41 stores and still counting.

Which Jurisdiction: Philippines

Which Industry is Covered: All

Celebrate Filipino Data Privacy Rights on Privacy Awareness Week 2018 - NPC

The National Privacy Commission (NPC) will celebrate Privacy Awareness Week (PAW) on May 28-31, 2018, starting with the 1st National Data Privacy Conference on May 28-29 focused on "Protecting the Filipino's Right to Data Privacy." During the conference, the NPC will also launch a year-long social awareness campaign focusing on responsible digital citizenship among Filipinos. Called the "Privacy, Safety, Security and Trust Online" or PSST!, the campaign is aimed at arming Filipinos with the information and self-help tools they can use to protect themselves and their loved-ones from the dangers arising from the careless handling of their own personal data when using online applications and services on their mobile and desktop devices.

Which Jurisdiction: Philippines

Which Industry is Covered: All

What Business Should Do: Attend privacy awareness activities such as the NPC conference

Back to top

Knowledge Empowers You (K.E.Y.)!

What is the General Data Protection Regulation (GDPR)?

GDPR is for the European Union as the Implementing Rules and Regulations (IRR) of the Data Privacy Act of 2012 (DPA) is for the Republic of the Philippines.

Fundamentally, GDPR attempts to achieve two conflicting goals:

  1. Facilitate the flow of personal data across national jurisdictions within the EU
  2. Protect the privacy of EU data subjects

Each EU member state will implement the GDPR in full by 25 May 2018, rendering existing data protection laws in each EU member state obsolete.

  1. Material Scope applies to all personal data whether it is stored and processed using digital techniques or not. Hence, it applies to personal data Controllers and Processors alike. Note that:
    • Controller is the legal entity that decides the purpose for the collection and processing of personal data.
    • Processor is the legal entity which processes personal data on behalf of the controller. A processor should do only what it is tasked to do by the controller, nothing more, at the risk of becoming a controller with the same liabilities.

  2. Territorial Scope How far does the GDPR stretch geographically? It applies to every organization processing personal data of data subjects residing in the Union, even if the organization is operating from an establishment outside of the EU.

  3. Articles and Recitals, what are they? GDPR contains Articles that state "what" is law and the Recitals that provide some explanations on the thinking behind the Articles.

Back to top

Have Fun!

Information is "beautiful." Here's a site that beautifully presents World's Biggest Data Breaches:

Back to top

Do you like what you see here? Or do you want to see something else? Freely send an email to