Manage Legal



The legal counsel or legal department should lead, or at least actively participate, in the drafting of the privacy policy and privacy management program (or manual) drafted by the organization. It shall assist the Data Protection Officer in ensuring such materials are in compliance with the DPA, its IRR, and all other issuances by the National Privacy Commission (NPC), by monitoring policy developments relevant to the business and/or operations of the organization.

In the event of a personal data breach or security incident, the legal counsel or department should also be able to monitor the remedial measures undertaken by the organization, and provide the appropriate legal advice, when requested. For this purpose, it shall keep in mind, the specific rules governing personal data breach management, as provided in NPC Circular No. 2016-03.




Contracts entered into by the organization, especially those involving data-sharing agreements (DSAs) and outsourcing or subcontracting agreements, should be properly reviewed by the legal counsel or legal department to check if the content and provisions thereof are compliant with the appropriate provisions of the DPA, its IRR, and relevant NPC issuances. It is worth noting that personal information controllers are directed to make use of all available means (i.e., contracts) in ensuring that personal information processors they conduct business with are also complying with the law.

There must also be an inventory of contracts involving personal data that have been executed or entered into by the organization. This inventory must be kept in a safe and secure area, accessible only to authorized personnel.


Due Diligence


Due diligence is the process of examining all material facts relating to a contract or transaction before it is entered into or executed by the parties. This is usually performed by the legal counsel or legal department, or is outsourced to a third party service provider (e.g., private law firm). To be effective, a proper conduct of due diligence must take into account all aspects of the proposed contract or transaction in order to eliminate, or at least mitigate, any potential risk that may be identified or associated with the proposed undertaking.




The legal counsel or legal department must keep itself abreast of any or all policy developments involving data privacy, particularly those issued by the NPC. It has the duty to inform the organization of any significant updates, through the issuance of appropriate memoranda or advisories.

Given this particular function, collaboration with other departments or units within the organization may be warranted. This shall guarantee that the proper dissemination of information among all personnel, particularly those responsible for the data processing systems of the organization.

Ideally, advisories and/or similar announcements should be released or conducted on a regular basis in order to help establish a culture of privacy within the organization.