The importance of data privacy has been a significant priority in recent and ongoing technology developments. The implementation of stringent data protection procedures is key as the number of interactions between individuals, organizations and online platforms continues to grow. In the Philippines, the Globe Group has been a pioneer in the enactment of data privacy regulations in accordance with the Data Privacy Act of 2012. In an exclusive interview with Telecom Review Asia, Irish Salandanan-Almeida, chief privacy officer at Globe Group, shared how the company develops and executes data privacy measures while prioritizing the welfare of consumers.
Can you provide an overview of the current data privacy landscape in the Philippines and in Asia?
The Philippines was actually one of the first countries in the ASEAN region to have a dedicated data privacy law, which is the Data Privacy Act of 2012. Starting in 2016, when the implementing rules and regulations of that law were issued, the government started to strictly implement and enforce the law, and the companies had to comply with it.
We might already have a good law in place, but the pandemic and the accelerated shift to digital services also increased the volume and complexity of financial crimes. These are spam and scam messages, such as phishing links and calls from scammers. These fraudulent activities often target our customers, especially those left jobless during the pandemic, and so they are also the most vulnerable to these types of scams.
The government's response was to pass the SIM Registration Act, which requires the registration of all SIM cards, whether they're postpaid or prepaid. The goal is for fraudsters and other cybercriminals to be deterred because they can no longer hide behind the cloak of anonymity. The SIM registration database is absolutely confidential, and the data can only be disclosed upon the issuance of a court order or a subpoena, removing the danger or risk that the data can be used for other purposes. Even internally with Globe employees, it remains absolutely confidential and separate from all other databases.
Globe successfully implemented SIM registration and attained the highest number of registrations, securing our place as the mobile leader in the Philippines.
The privacy regulator in the Philippines, the National Privacy Commission, has also been very active in working with their stakeholders. The government and the private sector are working hand-in-hand to comply with the requirements of the Data Privacy Act. In recent years, the NPC has been releasing circulars on administrative fines for data privacy violations. They are currently working on releasing circulars on deceptive design patterns [based] on consent and legitimate interest, which would help a lot of companies comply with the Data Privacy Act.
Moreover, Globe is also an active member of the Commission's Data Privacy Council. We regularly participate in public consultations to raise awareness among the different sectors when it comes to data privacy.
How do you ensure that Globe's data protection measures meet regulatory requirements and sustain customers’ trust?
We have an awareness campaign under the umbrella of our #MakeITsafePH campaign as well as our digital thumbprint program. The goal of both programs is to educate customers and the Filipino public in general about online safety and how to become responsible digital citizens.
We have developed a book together with Canvas, a non-profit organization that promotes children's literacy through art. We also worked with Google to develop this book, supported by the National Privacy Commission. It's a fun activity book that educates children about the importance of personal information or personal data and what they can do to protect it.
We also believe that increased government and private sector collaboration is critical, so we signed a memorandum of understanding with the NPC to collaborate on awareness efforts. Since the most pressing issue at the moment is really spam, scams and all of these fraudulent schemes, the MoU’s primary objective is to raise awareness about fraudulent schemes and how our customers can protect themselves.
Furthermore, we’re the only telco to have a stop-spam portal on our Globe website where customers can report spam and scam messages. As soon as our customers report these messages to us, our security operations center, which is open 24/7, receives them. They would then investigate and confirm whether it was indeed a spam or scam message, and block or deactivate the numbers behind it accordingly. If it's from another telco, they report it to the other telcos. Another thing that is unique to Globe is that we block all text messages with clickable links through keyword filters. I think this is something that our customers have been really happy about because it significantly lessened the spam and scam messages they received even before the implementation of the SIM Registration Act.
What are the challenges you've encountered in enforcing these data privacy practices in an ever-changing business landscape?
Because Globe is a telco, we collect tons of customer information on a daily basis, given that we currently have over 90 million customers. The challenge is always to protect this information and comply with the requirements of the law. We developed a privacy and security risk assessment that is very specific to Globe but also in accordance with the requirements of the Data Privacy Act. This includes a privacy impact assessment to make sure that, in all projects and initiatives, Globe is compliant with the law. We also have a security design review, vulnerability assessment and penetration testing that's more focused on the cybersecurity side of all of our platforms and systems.
We go beyond checklist compliance by making sure that, [with] all the projects and programs that involve personal data, Globe adheres to the data privacy principles of transparency, legitimate purpose and proportionality. At Globe, we believe that privacy adds business value, and we try to instill in all of our employees the importance of privacy.
Other companies tend to think that privacy is scary or that it is a showstopper because it will prevent them from collecting customer data. But we've tried to change that type of thinking and let our employees know that it's something that will make our customers want to choose Globe over others and want to trust our company more.
The company is also in the midst of transforming from a telco to a techco or a technology company; the business environment is extremely fast-paced. We have very complex use cases, so we take a policy-based approach rather than a strictly legal approach where everything is black and white, since a lot of the use cases don't fall squarely within the law. We continue to collaborate with the NPC and other stakeholders when we make decisions and when we pursue projects and initiatives. We prioritize our consumers above all, and Globe is really committed to the country's economic recovery despite the pandemic. The company is really pushing to ensure that digital adoption continues and is not hampered by all of these fraudsters or cybercriminals that are trying to erode customer trust and digital services.
What are your goals and vision for Globe's data privacy efforts in the coming years?
We envision the Globe Group to be a leader in data privacy, not just in the Philippines but across the globe. We make sure that we are up to date when it comes to best practices globally. We are also members of the International Association of Privacy Professionals, so we try to stay ahead of the trends in data privacy.
Furthermore, we established a Globe Group Privacy Council back in 2019 with the objective of calibrating privacy and security practices across the Globe Group. The group has been continuously growing. We support our developing portfolio of companies to meet the standards we've set as one Globe Group since some of the privacy and cybersecurity requirements are a bit more challenging to comply with for startups. Globe supports all of the subsidiaries as well.
The council meets quarterly to exchange best practices and to be updated on developments across our industries. The Globe Group currently spans a lot of industries, from telco, which is Globe Telecom, to fintech, health tech and startups, among others.
We are also part of a much larger group — that's the Ayala Group of Companies. This year, Globe was appointed as the chair of the Ayala Group Data Privacy Council. We also meet quarterly to discuss updates aligned with the member company's progress when it comes to compliance, data privacy and sharing use cases. We also discuss how to conduct privacy impact assessments and vendor risk assessments.
