Recommended actions

Clients are encouraged to review their data processing systems and determine what actions are required at each phase of the system life cycle. Since the Advisory applies regardless of a system’s current phase or status (whether newly developed, in operation or undergoing updates), compliance should be assessed continuously, not only at deployment.

Based on the Advisory, clients should consider taking the following steps:

• Validate the legal basis of each processing activity; ensure adherence with the general privacy principles of legitimate purpose, transparency and proportionality; and update retention schedules to reflect the stated purpose limitations.
• Run and refresh their privacy impact assessments (PIAs) at least annually and whenever there are major updates, vendor changes, or shifts in scope or purpose.
• Engineer for data minimization and security by using privacy-enhancing technologies (including anonymization and pseudonymization), enforcing encryption in transit and at rest, applying role-based access controls, maintaining disaster-recovery capabilities, and implementing secure disposal procedures.
• Build rights-enablement tooling that allows data subjects to exercise their privacy rights (e.g., access, port, correct, delete, opt-out), while maintaining traceability through auditable logs.
• Adopt a secure software development life cycle that incorporates threat modeling, static and dynamic code analysis, and fuzz testing prior to release.
• Deploy systems with a trustworthy user experience by providing clear notices, obtaining valid consent where applicable, avoiding deceptive design patterns and enabling privacy-protective defaults.
• Operate with ongoing governance through continuous incident monitoring and response, periodic audits and control updates, regular staff training and timely remediation of vulnerabilities.

Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group can assist in navigating the foregoing requirements under the Advisory and can provide further details on the same including the DPA, the IRR or any of the NPC’s issuances.

In depth

The Advisory provides a cohesive blueprint for integrating privacy requirements from system conception to retirement. It generally applies to all PICs and PIPs and covers five stages: (i) planning and requirements gathering, (ii) design and development, (iii) testing and evaluation, (iv) deployment and integration, and (v) operation and maintenance. The objective is to ensure that data subject rights are enabled by design and that safeguards are demonstrably effective on an ongoing basis, not only at launch.

• Planning and requirements gathering. PICs and PIPs should determine the lawful basis for each processing activity, ensure that the purpose, scope and methods are compatible with declared and specified purposes, and apply the principles of transparency, legitimate purpose and proportionality when collecting personal data. A PIA should be conducted to identify and evaluate potential risks and effects on data subjects and to inform mitigation measures.
• Design and development. PICs and PIPs must implement data minimization, adopt privacy‑enhancing technologies (e.g., anonymization and pseudonymization, where appropriate), enforce encryption and access controls, and ensure disaster recovery readiness. Organizations should also build rights‑enablement mechanisms into the product experience (e.g., access, portability, correction, deletion, opt‑in/opt‑out) and maintain traceability for access and changes. Threat modeling, static/dynamic analysis, and fuzz testing should be embedded in the life cycle so that weaknesses are addressed before release, and retention and secure disposal should be defined upfront.
• Testing and evaluation. Before deployment, PICs and PIPs should validate the effectiveness of privacy and security controls and the usability of privacy features. This includes conducting code reviews and vulnerability scans and performing a privacy‑architecture review to align technical choices with the DPA, the IRR and relevant NPC issuances.
• Deployment and integration. PICs must provide clear and concise privacy notices, obtain valid consent where consent is the lawful basis, and avoid deceptive design patterns. Defaults should be protective: security settings of a system should be enabled by default; online forms should only require essential information by default and leave optional fields unrequired; opt-in consent mechanisms should have unchecked consent boxes by default; default user profiles should be private rather than public; location tracking should be disabled by default; and payment details should not be saved by default.
• Operations and maintenance. In production, PICs and PIPs should regularly monitor for incidents and breaches with documented response and notification procedures, and conduct periodic audits and PIAs — at least annually — as well as fresh PIAs for major updates, new vendors, or changes in the nature, scope or purpose of processing. Organizations should remediate vulnerabilities promptly, honor data subject rights, and train personnel regularly on secure processing and incident management.

The foregoing requirements as provided by the Advisory are anchored in the long‑standing legal obligation of PICs and PIPs to implement reasonable and appropriate organizational, physical and technical measures under the DPA and its IRR. Hence, noncompliance with the Advisory may result in administrative action by the NPC, including compliance or enforcement orders, administrative fines of up to PHP 5 million (approximately USD 90,900) per violation, and cease‑and‑desist orders or temporary/permanent bans on personal data processing. Affected data subjects may also pursue civil indemnity for violations of their data privacy rights. Finally, where an act or omission constitutes a criminal offense under the DPA, such as unauthorized processing of personal data, criminal penalties may be imposed on responsible officers who participated in, or through gross negligence allowed, the commission of the offense.

*****

© 2025 Quisumbing Torres. All rights reserved. Quisumbing Torres is a member firm of Baker & McKenzie International, a Swiss Verein. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE