Section IV of the National Privacy Commission’s (NPC) Circular 16-03
referring to Personal Data Breach Management, requires that the
complying organization impose a breach management policy for the
purpose of preventing or minimizing the occurrence of a personal data
breach and assure the timely discovery of any security incident. This
breach management policy may be incorporated into the organization’s
and properly cascaded amongst the organization’s employees.
of a data privacy accountability framework is stated in the study
published by Henry Chang, listed in https://www.nymity.com/data-privacy-resources/~/media/NymityAura/Resources/Research/Privacy-Accountability-Management-Framework-For-Data-Controllers-Operating-Across-Asia.pdf
The study included the application of the proposed data privacy
accountability framework under Philippine law, as well as other Asian
countries which have enacted data privacy and protection laws.
For the benefit of personal information controllers and personal
information processors, the National Privacy Commission is currently
developing a template that may be used as basis in the drafting of a
Back To Top
There is currently no certification process for an organization’s
(level of) compliance with the Data Privacy Act. Nonetheless, the
Commission does recommend that organizations obtain certifications or
accreditations vis-à-vis existing international standards, such as
those prescribed by the International Organization for Standardization
including the following:
- ISO 27000 Family or Information Security
Management Systems (ISMS). A systematic approach to managing
sensitive company information that ensures its security. It includes
people, processes and IT systems by applying a risk management process.
It can help businesses of any size keep their information assets secure.
- ISO/IEC 27001:2013. Applicable mainly to
organizations that maintain data centers, this specifies the
requirements for establishing, implementing, maintaining, and
continually improving an information security management system within
the context of an organization. It also includes requirements for the
assessment and treatment of information security risks tailored to the
needs of an organization. The requirements set out are generic and are
intended to be applicable to all organizations, regardless of type,
size, or nature.
- ISO/IEC 27018:2014. This establishes
commonly-accepted control objectives, controls, and guidelines for
implementing measures to protect personal information in accordance
with the privacy principles in ISO/IEC 29100, which, in turn, concerns
public cloud computing environments. It also specifies guidelines based
on ISO/IEC 27002, taking into account the regulatory requirements for
the protection of personal information that might be applicable within
the context of the information security risk environment(s) of a
(public) cloud service provider. It may be used by organizations of any
type and size, including public and private companies, government
entities, and non-profit organizations, which provide information
processing services as Personal Information Processors (PIP) via cloud
computing under contract to other organizations.
The Commission does not also require certifications for key personnel
of personal information controllers or personal information processors,
such as the latter’s Data Protection Officer or Compliance Officer for
Privacy. However, it is considered best practice across jurisdictions
for organizations to properly equip their personnel with appropriate
trainings that enable them to fulfill their specific roles and
functions. Some international certifications or trainings commonly
considered for this purpose include:
- Certified Information Systems Auditor (CISA).
CISA is a globally recognized certification for IS audit control,
assurance, and security professionals. A person’s CISA certification
attests to his or her audit experience, skills, and knowledge. It
demonstrates ones ability to assess vulnerabilities, report on
compliance, and institute controls within a particular enterprise.
- Certified Information Security Manager (CISM).
A management-focused CISM certification that promotes international
security practices and recognizes the individual who manages, designs,
and oversees and assesses an enterprise’s information security.
- Certified in the Governance of Enterprise IT
(CGEIT). This certification recognizes a wide range of
professionals for their knowledge and application of enterprise IT
governance principles and practices. A CGEIT certified professional has
demonstrated his or her ability to bring IT governance into an
organization, as well as his or her complete grasp of the complex
subject. Thus, he is able to enhance the value of an enterprise.
- Certified Information Systems Security
Professionals (CISSP). The ideal credential for those with
proven deep technical and managerial competence, skills, experience,
and credibility to design, engineer, implement, and manage the overall
information security program of their organization, thereby protecting
it from the growing number of sophisticated attacks.
- GIAC Security Essentials (GSEC). Designed
for professionals seeking to demonstrate their understanding of
information security terminology and concepts, and their possession of
skills and technical expertise necessary for “hands-on” security roles.
GSEC credential holders are presumed to demonstrate a knowledge and
technical skills in various areas (e.g., identifying and preventing
common and wireless attacks, access controls, authentication, password
management, DNS, cryptography fundamentals, ICMP, IPv6, public key
infrastructure, Linux, network mapping, and network protocols).
- Project Management Professional (PMP). This
certification is touted as the most important industry-recognized
certification for project managers. It signifies that the holder speaks
and understands the global language of project management. It connects
him or her to a community of professionals, organizations and experts
worldwide. Indeed, unlike other certifications that focus on a
particular geography or domain, the PMP is truly global and enables its
holder to work in virtually any industry, with any methodology, and in
While not explicitly required, certifications and/or accreditations
allow for a more efficient verification and monitoring process on the
part of the Commission.
Back To Top