BPO registration for personal data protection mandatory says NPC

Critical industry sectors processing personal data likely to pose risks to the rights and freedom of their subjects are required to be registered at the National Privacy Commission (NPC) under the Data Privacy Act. The range of companies that come under the act is extensive and includes business process outsourcing (BPO) companies along with along with businesses involved in direct marketing, networking, companies providing reward cards and loyalty programs as well as personal information processors (PIPs) for a personal information controller (PIC), and data processing systems involving automated decision making. Furthermore, under the law, organizations with at least 250 employees and those that process records involving sensitive personal information of 1,000 or more individuals must likewise register their data processing systems with NPC, beginning with the registration of their designated Data Protection Officers (Phase I Registration) by next month, September 9, 2017. The new NPC circular 17-01 provides guidelines for the registration of data processing systems as well as notification requirements regarding automated decision-making.