ABS-CBN Corporation was lauded by former deputy privacy commissioner Dondi Mapa at the corporate governance training held for directors and officers of publicly listed companies (PLCs) associated with the Lopez Group.
In his executive briefing on the Data Privacy Act of 2012, Mapa gave extensive examples of data privacy requirements and breaches around the world, saying data privacy protection is a global issue. In the European Union, companies that don’t protect their customers from data breaches may be fined as much as 4% of their annual global revenue.
Proactive management
Mapa twice mentioned the proactive management of ABSCBN of an attack on its online shopping facility. ABS-CBN temporarily took down The ABSCBN Store and the UAAP Store websites on September 19, 2018 following a report of a data breach. Personal information and credit card details of about 200 customers were affected. The company immediately reported the breach to the National Privacy Commission (NPC) even as an investigation on the matter continued.
Jay Gomez, ABS-CBN’s head of Information Security and concurrent data protection officer, said that the data breach was caused by a compromised account of a third-party e-commerce provider and only affected The ABS-CBN Store. However, the UAAP Store was also taken down as a precaution because the two sites used the same e-commerce platform. Gomez said both e-commerce sites will return online after additional mitigation measures are installed “based on internal and NPC recommendations.”
Transparent
M a p a said being transparent and working closely with the NPC is among best practices in local data protection. ABS-CBN reached out to all affected customers and successfully advised them on next steps. For six customers that didn’t give their email or mobile numbers, registered mail was sent instead to their addresses.
The law requires organizations that employ over 250 people or process the personal information of at least 1,000 individuals, such as customers or beneficiaries, to register with the NPC and appoint a data protection officer. Consent for the control and processing of personal information may be obtained in electronic, written or recorded form.
Replying to a query, Mapa said employees must be informed about closed-circuit television cameras installed on office premises. He cited a case where the European Court of Justice ruled that installing hidden cameras in store premises was a violation of data privacy; hence, any evidence obtained from such hidden cameras were inadmissible for purposes of prosecuting thieving employees, for example.
Sustainability in the boardroom
Also at the seminar, Atty. Teodoro Kalaw IV, trustee of the Institute of Corporate Directors (ICD), advised about “Sustainability in the Boardroom” and shared the results of his study on sustainability among top-ranked PLCs.
Based on the 17 sustainable development goals set by the United Nations General Assembly in 2015, Kalaw said sustainability is as much about planetary resilience, or going green, as it is about promoting an inclusive and equitable society as a means to achieve global peace.
While the Securities and Exchange Commission will require sustainability reports from PLCs by the end of the year (2018), Kalaw said directors of PLCs may find opportunities for sustainability in their organization’s value chain or as a core of their business model. Such opportunities, if pursued, will make sustainability action strategic for the corporation and avoid “major sources of disconnect.”
Extrinsic disconnect
Extrinsic disconnect occurs when a company’s sustainability action is not in sync with the guidelines for reporting adopted by the company. Intrinsic disconnect occurs when the company inaccurately reports its action based on the chosen sustainability guidelines.
Kalaw encouraged directors and officers to make sustainability part of organizational culture, starting from the top so as to gain the cooperation of everyone down the line in learning and developing capabilities for sustainable action. He said sustainability should be a leadership opportunity instead of a compliance challenge.
The training was conducted by the ICD on October 29 at The Loft@Manansala. It was attended by over a hundred directors and officers of Lopez Group PLCs. (Story/Photos by: Carla Paras-Sison)