Philippines: NPC issues Guidelines on Privacy Engineering in Systems Life Cycle

NPC Advisory No. 2025-02 operationalizes privacy by design/default across planning, development, testing, deployment and maintenance of data processing systems.
15 Sept 2025    5 minute read
EC Featured Content Cybersecurity & Data Privacy

In brief

The National Privacy Commission (NPC) recently issued Advisory No. 2025‑02, entitled “Guidelines on Privacy Engineering in Systems Life Cycle Processes” (“Advisory”), which provides a practical framework for personal information controllers (PICs) and personal information processors (PIPs) to embed privacy engineering across every stage of the system life cycle. This includes planning and requirements gathering, design and development, testing and evaluation, deployment and integration, and operation and maintenance, regardless of whether a system is newly developed, currently operational or undergoing updates.

The Advisory is anchored on the requirements of the Data Privacy Act (DPA), its implementing rules and regulations (IRR), and relevant NPC issuances. It emphasizes the legal obligation of PICs and PIPs to implement reasonable and appropriate security measures to safeguard personal data.

Contents

Recommended actions

Clients are encouraged to review their data processing systems and determine what actions are required at each phase of the system life cycle. Since the Advisory applies regardless of a system’s current phase or status (whether newly developed, in operation or undergoing updates), compliance should be assessed continuously, not only at deployment.

Based on the Advisory, clients should consider taking the following steps:

  • Validate the legal basis of each processing activity; ensure adherence with the general privacy principles of legitimate purpose, transparency and proportionality; and update retention schedules to reflect the stated purpose limitations.
  • Run and refresh their privacy impact assessments (PIAs) at least annually and whenever there are major updates, vendor changes, or shifts in scope or purpose.
  • Engineer for data minimization and security by using privacy-enhancing technologies (including anonymization and pseudonymization), enforcing encryption in transit and at rest, applying role-based access controls, maintaining disaster-recovery capabilities, and implementing secure disposal procedures.
  • Build rights-enablement tooling that allows data subjects to exercise their privacy rights (e.g., access, port, correct, delete, opt-out), while maintaining traceability through auditable logs.
  • Adopt a secure software development life cycle that incorporates threat modeling, static and dynamic code analysis, and fuzz testing prior to release.
  • Deploy systems with a trustworthy user experience by providing clear notices, obtaining valid consent where applicable, avoiding deceptive design patterns and enabling privacy-protective defaults.
  • Operate with ongoing governance through continuous incident monitoring and response, periodic audits and control updates, regular staff training and timely remediation of vulnerabilities.

Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group can assist in navigating the foregoing requirements under the Advisory and can provide further details on the same including the DPA, the IRR or any of the NPC’s issuances.

In depth

The Advisory provides a cohesive blueprint for integrating privacy requirements from system conception to retirement. It generally applies to all PICs and PIPs and covers five stages: (i) planning and requirements gathering, (ii) design and development, (iii) testing and evaluation, (iv) deployment and integration, and (v) operation and maintenance. The objective is to ensure that data subject rights are enabled by design and that safeguards are demonstrably effective on an ongoing basis, not only at launch.

  • Planning and requirements gathering. PICs and PIPs should determine the lawful basis for each processing activity, ensure that the purpose, scope and methods are compatible with declared and specified purposes, and apply the principles of transparency, legitimate purpose and proportionality when collecting personal data. A PIA should be conducted to identify and evaluate potential risks and effects on data subjects and to inform mitigation measures.
  • Design and development. PICs and PIPs must implement data minimization, adopt privacy‑enhancing technologies (e.g., anonymization and pseudonymization, where appropriate), enforce encryption and access controls, and ensure disaster recovery readiness. Organizations should also build rights‑enablement mechanisms into the product experience (e.g., access, portability, correction, deletion, opt‑in/opt‑out) and maintain traceability for access and changes. Threat modeling, static/dynamic analysis, and fuzz testing should be embedded in the life cycle so that weaknesses are addressed before release, and retention and secure disposal should be defined upfront.
  • Testing and evaluation. Before deployment, PICs and PIPs should validate the effectiveness of privacy and security controls and the usability of privacy features. This includes conducting code reviews and vulnerability scans and performing a privacy‑architecture review to align technical choices with the DPA, the IRR and relevant NPC issuances.
  • Deployment and integration. PICs must provide clear and concise privacy notices, obtain valid consent where consent is the lawful basis, and avoid deceptive design patterns. Defaults should be protective: security settings of a system should be enabled by default; online forms should only require essential information by default and leave optional fields unrequired; opt-in consent mechanisms should have unchecked consent boxes by default; default user profiles should be private rather than public; location tracking should be disabled by default; and payment details should not be saved by default.
  • Operations and maintenance. In production, PICs and PIPs should regularly monitor for incidents and breaches with documented response and notification procedures, and conduct periodic audits and PIAs — at least annually — as well as fresh PIAs for major updates, new vendors, or changes in the nature, scope or purpose of processing. Organizations should remediate vulnerabilities promptly, honor data subject rights, and train personnel regularly on secure processing and incident management.

The foregoing requirements as provided by the Advisory are anchored in the long‑standing legal obligation of PICs and PIPs to implement reasonable and appropriate organizational, physical and technical measures under the DPA and its IRR. Hence, noncompliance with the Advisory may result in administrative action by the NPC, including compliance or enforcement orders, administrative fines of up to PHP 5 million (approximately USD 90,900) per violation, and cease‑and‑desist orders or temporary/permanent bans on personal data processing. Affected data subjects may also pursue civil indemnity for violations of their data privacy rights. Finally, where an act or omission constitutes a criminal offense under the DPA, such as unauthorized processing of personal data, criminal penalties may be imposed on responsible officers who participated in, or through gross negligence allowed, the commission of the offense.

*****

LOGO Philippines_QuisumbingTorres_Manila

© 2025 Quisumbing Torres. All rights reserved. Quisumbing Torres is a member firm of Baker & McKenzie International, a Swiss Verein. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Contact Information
Divina Ilas-Panganiban
Partner
Quisumbing Torres, Manila
Read my Bio
divina.ilas-panganiban@quisumbingtorres.com
Angelo Tiglao
Associate
Quisumbing Torres, Manila
Read my Bio
angelo.tiglao@quisumbingtorres.com
Cara Patrice Rosete
Associate
Quisumbing Torres, Manila
Read my Bio
carapatrice.rosete@quisumbingtorres.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.