RE: DPO BRIEFING SUMMARY REPORT

DPO BRIEFING SUMMARY REPORT

Contents:
I. OVERVIEW OF DATA PRIVACY ACT
II. FIVE PILLARS OF DATA PRIVACY COMPLIANCE
III. PRIVACY IMPACT ASSESSMENT
IV. PRIVACY MANAGEMENT PROGRAM
V. PRIVACY AND DATA PROTECTION MEASURES
VI. BREACH REPORTING PROCEDURE

BACKGROUND
This summary report serves to cascade the relevant topics, as discussed in the DPO
Briefing at the National Privacy Commission Office at PICC Complex, to the partners, associates
and other staff of the law office. The following report contain notes by Vincent Joshua D. Bohol
(VJB) during the DPO Briefing and citations from the NPC website at www.privacy.gov.ph. The
powerpoint presentations and other related materials shall follow as soon as I received the same
from the Commission.
For more reference of the Data Privacy Act and it’s Implementing Rules and Regulation
and related issuances of the National Privacy Commission please feel free to read the Data
Privacy Compendium and Data Privacy Toolkit provided by the NPC for the Law Office of
Morales & Justiniano Law.
As a brief introduction, Republic Act No. 10173 or the Data Privacy Act (DPA) aims to
protect personal data in information and communications systems both in the government and
the private sector. The DPA intends to increase the benefits of data collection and decrease or
eliminate the risk of data breach. It ensures that entities or organizations processing personal data
establish policies, and implement measures and procedures that guarantee the safety and security
of personal data under their control or custody, thereby upholding an individual’s data privacy
rights.

I. OVERVIEW OF DATA PRIVACY ACT DATA

A. Definition of Terms

a. Data subject refers to an individual whose personal information is processed.

b. Personal information controller (PIC) refers to a person or organization who controls

the collection, holding, processing or use of personal information, including a person
 or organization who instructs another person or organization to collect,hold, process,
use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by
another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.

c. Personal information processor refers to any natural or juridical person qualified

to act as such under this Act to whom a personal information controller may
outsource the processing of personal data pertaining to a data subject.

d. Processing refers to any operation or any set of operations performed upon

personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

e. Personal information refers to any information whether recorded in a material

form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify
an individual.

f. Privileged information refers to any and all forms of data which under the
Rules of Court and other pertinent laws constitute privileged communication.

g. Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but

not limited to, social security numbers, previous or cm-rent health records,
licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.

h. Data Breach is a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed.
 i. Data sharing is the disclosure or transfer to a third party of personal
data under the custody of a personal information controller or personal
information processor. In the case of the latter, such disclosure or transfer must
have been upon the instructions of the personal information controller
concerned. The term excludes outsourcing, or the disclosure or transfer of
personal data by a personal information controller to a personal information
processor

B. Data Sharing Agreement (DSA)

A DSA is a contract, joint issuance or similar document that contains the terms and
conditions of a data sharing arrangement between 2 or more parties.

All parties to a DSA are considered PIC. Accordingly, it is different from an outsourcing
or subcontracting agreement.

Some Pointers on DSAs:

Unless a law says otherwise, the consent of a data subject must always be obtained before
his or her personal data is shared.

Data Sharing must always adhere to the data privacy principles laid down in the DPA, it’s
IRR, and all issuances of the NPC

Prior approval of the NPC is not required for the execution of DSAs. However, the NPC
may review a DSA at any time.

C. The Data Protection Officer (DPO)

PIC and PIP are required to appoint or designate a DPO. The DPO will be accountable
for ensuring compliance by the PIC or PIP with the Data Privacy Act, it’s IRR and
related issuances of the NPC.

Who may be appointed as a DPO?

The DPO must be a full time or organic employee of the PIC or PIP. Where the
employment of the DPO is based on a contract, the term of the contract should be at least
2 years to ensure stability

The DPO should be knowledgeable on relevant privacy or data protection policies and
practices, and the processing operations of the PIC or PIP.

The provisions of NPC Advisory 17-01 (pages 156-166 of the DPA Compendium) dated
March 14, 2017 may serve as a guide in the designation of the DPO.
The designation, postal address, dedicated telephone number, and e-mail address of the
DPO should be included in the:
a. Website
b. Privacy policy
c. Privacy notice
d. Privacy manual

The name or names of the DPO need not be published. However, it should be made
available upon request by the data subject and or the NPC.

Every organization or entity needs to appoint a DPO but not every organization or
entity needs to register their DPO. DPOs require registration with NPC when the PIC
or PIP shall register its data processing system under any of the following conditions:

A. the PIC or PIP employs at least two hundred fifty (250) employees;

B. the processing includes sensitive personal information of at least one thousand

(1,000) individuals;

C. the processing is likely to pose a risk to the rights and freedoms of data subjects.

Processing operations that pose a risk to data subjects include those that involve:

1.) information that would likely affect national security, public safety, public order, or
public health;

2.) information required by applicable laws or rules to be confidential;

3.) vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly,
patients, those involving criminal offenses, or in any other case where an imbalance
exists in the relationship between a data subject and a PIC or PIP;

4.) automated decision-making; or

5.) profiling;

D. the processing is not occasional: Provided, that processing shall be considered

occasional if it is only incidental to the mandate or function of the PIC or PIP, or, it only
occurs under specific circumstances and is not regularly performed. Processing that
constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered
occasional:

What are the Duties of a DPO?

The Duties of a DPO are the following:

 a. monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC
and other applicable laws and policies. You may:
1. collect information to identify the processing operations, activities, measures,
projects, programs, or systems of the PIC or PIP, and maintain a record
thereof;
2. analyze and check the compliance of processing activities, including the
issuance of security clearances to and compliance by third-party service
providers;
3. inform, advise, and issue recommendations to the PIC or PIP;
4. ascertain renewal of accreditations or certifications necessary to maintain the
required standards in personal data processing; and
5. advice the PIP or PIP as regards the necessity of executing a Data Sharing
Agreement with third parties, and ensure its compliance with the law;
b. ensure the conduct of Privacy Impact Assessments relative to activities, measures,
projects, programs, or systems of the PIC or PIP;
c. advise the PIC or PIP regarding complaints and/or the exercise by data subjects of
their rights (e.g., requests for information, clarifications, rectification or deletion of
personal data);
d. ensure proper data breach and security incident management by the PIC or PIP,
including the latter’s preparation and submission to the NPC of reports and other
documentation concerning security incidents or data breaches within the prescribed
period;
e. inform and cultivate awareness on privacy and data protection within your
organization, including all relevant laws, rules and regulations and issuances of the
NPC;
f. advocate for the development, review and/or revision of policies, guidelines, projects
and/or programs of the PIC or PIP relating to privacy and data protection, by adopting
a privacy by design approach;
g. serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and
other authorities in all matters concerning data privacy or security issues or concerns
and the PIC or PIP;
h. cooperate, coordinate and seek advice of the NPC regarding matters concerning data
privacy and security; and
i. perform other duties and tasks that may be assigned by the PIC or PIP that will
further the interest of data privacy and security and uphold the rights of the data
subjects.

D. Rights of a Data Subject

1. The right to be informed means that the data subject has the right to know
when his or her personal data shall be, are being, or have been processed. Collection and
processing of data without the data subject’s knowledge and explicit consent is made
unlawful, and entities in possession of personal data is obligated to inform the data
subject of any breaches or compromises in their data.
2. The right to access involves being able to compel any entity possessing any
personal data to provide the data subject with a description of such data in its possession,
 as well as the purposes for which they are to be or are being processed. Furthermore,
other details regarding the processing of their information may be obtained, such as the
period for which the information will be stored, and the recipients to whom the
information may be disclosed. This must be complied with in an easy-to-access format,
accompanied by a description in plain language.
3. The right to object requires that the consent of the data subject be secured in
the collecting and processing of his or her data. It grants the data subject the choice of
refusing to consent, as well as the choice to withdraw consent, as regards collection and
processing. As earlier stated, any activity involving a data subject’s personal data without
his or her consent is deemed illegal.
4. The right to erasure or blocking allows the data subject to suspend,
withdraw or order the blocking, removal, destruction of his or her personal information
from the personal information controller’s filing system upon discovery and substantial
proof that the personal information are incomplete, outdated, false, unlawfully obtained,
used for unauthorized purposes or are no longer necessary for the purposes for which
they were collected. This is akin to the recognized right to be forgotten.
5.   The right to rectify, allows the data subject to dispute any inaccuracy or
error in the personal information processed, and to have the personal information
controller correct it immediately. In line with this, the personal information controller
must ensure that the new and the retracted information will be accessible, and that third
parties who received the erroneous data will be informed, upon the request of the data
subject.
6. The right to data portability enables the data subject to obtain and
electronically move, copy, or transfer personal data for further use. This also carries out
another policy behind the law–ensuring the free flow of personal information.
7. The right to file a complaint with the National Privacy Commission affords a
remedy to any data subject who “[feels] that [his or her] personal information has been
misused, maliciously disclosed, or improperly disposed,” or in case of any violation of
his or her data privacy rights.
8. The right to damages entitles the aggrieved data subject to be indemnified for
any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of his or her personal information.

E. Penalties

PUNISHABLE ACT JAIL TERM FINE (PESO)

Access due to 1y to 3y min 3y to 6y max 500k to 4m
negligence
Unauthorized 1y to 3y min 3y to 6y max 500k to 4m
processing
Unauthorized purposes 18m to 5y min 2y to 7y max 500k to 2m
Improper disposal 6m to 2y min 3y to 6y 100k to 1m
 Intentional breach 1y to 3y 500k to 2m
Concealing breach 18m to 5y 500k to 1m
Malicious disclosure 18m to 5y 500k to 1m
Unauthorized 1y to 3y min 3y to 5y max 500k to 2m
disclosure
Combination of acts 3y to 6y 1m to 5m

The Philippines is the only jurisdiction in the international plane that imposes imprisonment
in case of violation of data privacy rights. Other jurisdictions impose fines but in much
exorbitant amounts as compared to ours.

F. Data Privacy Principles

Processing of personal data shall be allowed SUBJECT TO COMPLIANCE with the

requirements of the DPA and other laws allowing information disclosure to the public and
adherence to the PRINCIPLES of TRANSPARENCY, LEGITIMATE PURPOSE and
PROPORTIONALITY.

Transparency is demonstrated by consent, privacy notice and privacy policies.

Legitimate Purpose, on the other hand, states that personal information must be collected
for specified and legitimate purposes determined and declared before, or as soon as
reasonably practicable after collection.

Finally, Proportionality basically suggests that collection of personal data should be

constrained to only what is necessary.

II. FIVE PILLARS OF DATA COMPLIANCE

1. Appoint a Data Privacy Officer

PIC and PIP are required to appoint or designate a DPO. The DPO will be accountable
for ensuring compliance by the PIC or PIP with the Data Privacy Act, it’s IRR and
related issuances of the NPC.

2. Adopt a Privacy Impact Assessment (PIA)

A PIA is a process undertaken and used by a government agency to evaluate and manage
the impact of its program, process and/or measure on data privacy.

3. Create A Privacy Management Program (PMP)

Your PMP serves to align everyone in the organization in the same direction, to facilitate
compliance with the DPA and issuances of the NPC, and to help your organization in
mitigating the impact of a data breach.
4. Implement Data Privacy and Security Measures

The measures laid out in your privacy and data protection policies should not remain
theoretical. They must be continuously assessed, reviewed, and revised as necessary,
while training must be regularly conducted

5. Be Ready in Case of Data Breach

Upon discovery of a personal data breach, or reasonable suspicion thereof, it is important

to conduct an initial assessment of the breach, to mitigate its impact, and to notify both
the affected data subjects and the NPC within 72 hours of discovery.

III. PRIVACY IMPACT ASSESSMENT (PIA)

PIA is a process used to evaluate and manage the impact of a program, process, system
and/or measure on data privacy.

The process takes into account the nature of the personal data to be protected and
evaluates the risks to privacy and security represented by the processing of personal data.
The PIA guides the PIC or PIP through the process of understanding the personal data
flow in the organization, identifying and assessing various privacy risks, and proposing
measures to address these risks. Proposed measures should consider the size of the
organization, complexity of its operations, current data privacy best practices and the cost
of security implementation.
PIAs should be undertaken for every processing system of an organization involving
personal data. It is also important prior to implementation of new programs, projects,
processes or measures that have privacy impacts. A change in law or regulation, or
changes within the organization may likewise require undertaking a PIA if the changes
would affect personal data processing.

The ultimate goal of a PIA is personal data protection, to increase the benefits and
decrease the harms of processing personal information.

The Contents of the PIA

1. Description of the personal data flow:

- Categories of personal data held by the agency, including records of its own
employees;
- Source and manner of collection of personal data
- Persons responsible or accountable for the processing of personal data
- Purpose of processing, including, where applicable, the legitimate interest pursued
by the agency;
- List of all information repositories holding personal data, including
a. Their location;
b. Types of media used for storing the personal data; and
c. Transfers outside the country
- Organizational, physical and technical security measures in place

2. Assessment of adherence to data privacy principles, including the necessity and

proportionality of the processing, the implementation of security measures, and the
means for data subjects to exercise their rights.

3. Identification and assessment of the risks to the rights and freedoms of data subjects
associated with the personal data processing, and any proposed measures to address the
risks.

Benefits of PIA

- Good governance
- Compliance with the law
- Cost effective
- Mitigate privacy risks
- Privacy strategy and awareness

The PIC should commit the conduct of a PIA by:

1. Determining the need of a PIA

2. Assigning responsible persons
3. Provide resources for the conduct of a PIA
4. Issue a clear directive for conduct of PIA

Note: The PIC must identify the uses personal data and determine the need for consent of
the data subject.

The DPO must ensure the conduct of a PIA as part of his duties under the DPA.

The PIA Process includes:

1. Planning and Preparation

2. Risk Identification and Analysis
a. PIC must detect the threats and vulnerability of its processing system and/or
program
3. Risk Management Strategies
4. Documentation (Very important for NPC Audit!)

The Privacy Risk Rating is a tool used to determine whether the impact of privacy
measures will probably cause risk/s on data breach. If the information is sensitive the
impact will be more harmful. Security measures will limit risks and, thus, minimizes our
data risk probability ratio.

The tables and formulas can be seen in the NPC Toolkit, under the Chapter Privacy
Impact Assessment, for your convenience. The following is a sample illustration of a
Risk Rating Formula:

Ref Threats/Vulnerability Impact Probability Risk

# Rating
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4
1 2 3 4 1 2 3 4

Rating Types
1 Negligible
2 to 4 Low Risk
6 to 9 Medium Risk
10 to 16 High Risk
 Residual Risks should also be included in the PIA. It means risk remaining after risk
treatment.

The Approaches to Risk Management may be accomplished by avoidance, mitigation,

acceptance and transfer (outsourcing).

IV. PRIVACY MANAGEMENT PROGRAM (PMP)

A PMP serves to align everyone in the organization in the same direction, to facilitate
compliance with the DPA and issuances of the NPC, and to help your organization in
mitigating the impact of a data breach.

A PMP is required so that privacy protection is not merely an ad hoc program.

When the PMP is part of the organization structure, it will help create an internal culture
protective of data privacy rights of an individuals.

Why do we need a PMP?

- Minimize risks of privacy breaches

- Maximize your ability to tackle root causes
- Reduce the damage arising from breaches

NPC Circular 18-02 provides for the Guidelines on Compliance Checks.

PMP Key Components

1. Organizational Commitment

Buy-in from the Top – since policies require top management support, the management
of an organization or entity must:

a. Designate a DPO to manage PMP

b. Endorse a set of Program Controls
c. Report to the Board on the program

2. Program Controls

A Program Control is a very important protocol! – When the NPC implements their audit,
they will look in to the organizations Program Controls.

Contents of a Program Control (Will ask NPC for a sample template)

1) Personal Data Inventory

  What personal data you process?
 How do you use them?
 Do you really need them?
Notes: Inventory enables informed decisions:
 What type of consent to get.
 What type of protection to provide.
 When to dispose data.
 How to accommodate data subjects.
2) Policies
 Are derived from legal requirements:
i) Collection of personal data
ii) Accuracy and retention
iii) Use of personal data, requirements for consent
iv) Security of personal data
v) Transparency of policies and practices (must be posted in the office area and
website)
vi) Access and correction of personal data
 Policies must be embodied in a Privacy Manual (Important for NPC audit
purposes) that may include physical and technical security measures.
3) Management of PIP
 If we outsource our personal data processing to a PIP we need to document our
management of the latter’s processing.
4) Risk Assessment Tools
 This is basically the PIA
5) Breach Handling
 Has procedures and officers (or response teams) for handling personal data
breaches.
 Clear reportorial responsibilities
 Procedure must contain protocols in case of breach to the extent that the PIC can
comply with the 72 hour mandatory notification requirement.
 Procedure must contain guidelines in managing internal and external breach
6) Capacity Building
 General orientation for employees
 Special training for key roles
 Should be current and relevant

3. Continuing Assessment and Development

 A DPO must periodically develop and Oversight & Review Plan:

 It sets out how and when the PMP will be monitored and assessed for
effectiveness
 It helps you keep your PMP on track and up-to date.
 It sets out performance measures and mandates a schedule for when the
program controls should be reviewed.
 The effectiveness of Program Controls should be:
 Monitored regularly
  Audited periodically
 And where necessary revised accordingly
 The DPO must review, validate and revise Privacy Manuals and schedule regular
PIAs.

NOTE: We need to translate our PMP into a Privacy Manual. Lawyers, designated DPO
and other staff in charge of personal data processing should be on top of the drafting of
our firm’s Privacy Manual.

V. PRIVACY AND DATA PROTECTION MEASURES

NOTES:

 The NPC requires not only paper compliance but also operational compliance

 Day to day processing of information shall require the following notes:

o Data Life Cycle
o Privacy Notes
o Data Subject Rights

In accordance with Sec. 16 (b) of the DPA: “The data subject is entitled
to: xxxx Be furnished the information indicated hereunder before the entry of his
or her personal information into the processing system of the personal
information controller, or at the next practical opportunity:

(1) Description of the personal information to be entered into the system;

(2) Purposes for which they are being or are to be processed;

(3) Scope and method of the personal information processing;

(4) The recipients or classes of recipients to whom they are or may be disclosed;

(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;

(6) The identity and contact details of the personal information controller or its
representative;

(7) The period for which the information will be stored; and

(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission.
 Any information supplied or declaration made to the data subject on these
matters shall not be amended without prior notification of data
subject:  Provided, That the notification under subsection (b) shall not apply
should the personal information be needed pursuant to a subpoena or when the
collection and processing are for obvious purposes, including when it is
necessary for the performance of or in relation to a contract or service or when
necessary or desirable in the context of an employer-employee relationship,
between the collector and the data subject, or when the information is being
collected and processed as a result of legal obligation;”

 If a data subject wants to file a complaint or exercise his right to data privacy, the
PIC/PIP must have a privacy notice containing the contact details of the DPO.

 Always apprise the data subjects rights under the DPA and other related laws or
NPC issuances.

 The obligation of a PIC/PIP is to uphold the rights of the data subject.

 Data Security
o There is no need for expensive data protection as the law only requires
reasonable and appropriate security measures.

 Types of Data Security Measures:

o Organizational Security Measures- top management should create
culture of privacy unto to the organization
o Physical Security Measures-
 Steel filing cabinets
 Solid walls
 Security guards
 Security locks
 Security cameras
 Calamities and disaster risk management
o Technical Security Measures-
 Firewalls
 Encryptions
 Data Back-ups

 Third Parties
o Data Sharing Agreement (DSA) - a contract, joint issuance or similar
document that contains the terms and conditions of a data sharing
arrangement between 2 or more parties.
 Must be between a PIC and another PIC
 If its between a PIC and a PIP, it is not a DSA but an Outsourcing
Agreement.
o DSA Requisites:
 Consent of the Data Subject
 
Established adequate safeguards for data privacy and security, and
upholding of the rights of data subjects
 Provide data subjects with required information prior to collection
or before data is shared
 Adherence to Data Privacy Principles (Transparency, Legitimate
Purpose and Proportionality)
 Data subjects must have means to access DSA.
o Outsourcing Agreement (OA)
 Section 43, Rule X of the IRR-DPA states that:

 “A personal information controller may subcontract or outsource the processing of

personal data: Provided, that the personal information controller shall use contractual
or other reasonable means to ensure that proper safeguards are in place, to ensure the
confidentiality, integrity and availability of the personal data processed, prevent its use
for unauthorized purposes, and generally, comply with the requirements of the Act, these
Rules, other applicable laws for processing of personal data, and other issuances of the
Commission.”

 An OA must only be between a PIC and a PIP. The two parties will
have a Principal-Agent Relationship. Accordingly, the provisions of
the Civil Code under Agency will apply to the parties of an OA.
 When a PIC outsourced a mail courier, and the processing of mail or
other matter contains personal information, sensitive personal
information or privileged personal information, the latter is
considered a PIP. In such a case the consent of a data subject is not
required for the processing of the personal data.

VI. BREACH REPORTING PROCEDURE

NOTES:

 There are cases when a breach transpires in spite of compliance with the NPA.

 Security Incident Management Policy

o Creation of Security Incident Response Team which must have an
officer who has authority to make decisions.
o Implementations of Security Measures and Personal Data Privacy
Measures.
o Implementation of Security Incident Response Team
o Mitigation of possible harm and negative consequences to a data subject
o Compliance with the DPA

 Mandatory Breach Notification Requirements

o Under Sec. 20 (f) of the DPA:

 “The personal information controller shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information that may, under the circumstances,
be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized
person, and the personal information controller or the Commission believes that such unauthorized
acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The
notification shall at least describe the nature of the breach, the sensitive personal information
possibly involved, and the measures taken by the entity to address the breach. Notification may be
delayed only to the extent necessary to determine the scope of the breach, to prevent further
disclosures, or to restore reasonable integrity to the information and communications system.

(1) In evaluating if notification is unwarranted, the Commission may take into account compliance
by the personal information controller with this section and existence of good faith in the
acquisition of personal information.

(2) The Commission may exempt a personal information controller from notification where, in its
reasonable judgment, such notification would not be in the public interest or in the interests of the
affected data subjects.

(3) The Commission may authorize postponement of notification where it may hinder the progress
of a criminal investigation related to a serious breach.”

o When to Notfiy?

72 hours upon discovery of the data breach

o Who to Notify?

Both the NPC and the affected data subject

o Who will Notify?

PIC through the response team or DPO

o What is the Form of Notification?

Written or Electronic form (send email to complaints@privacy.gov.ph)

o Failure to notify shall constitute NEGLECT and is punishable under the

DPA and IRR-DPA.

 Partial report may filed in the first instance but the full report must
be submitted within 5 days.

o See DPA Toolkit for the Contents of an NPC Breach Notification

o In the event that there is no data breach or security incidents within the
year (including attempts for breach), the PIC may file a report manifesting
the absence of such breach. (not mandatory)

o Annual Reports will be on March 31, 2019 for data breach or security
incidents that transpired in the preceding year (2018).

o Public notification of breach will not satisfy the requirements of the DPA.

-NOTHING FOLLOWS-