Data Quality Assurance
Plain English Translation
Organizations must ensure that personal data held is accurate, relevant, and complete relative to the purpose of processing, and must keep it up to date where necessary. Inaccurate or incomplete records must be corrected, supplemented, or destroyed. Data subjects have the right to dispute errors and have the controller correct them promptly.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Implement basic input validation on web forms (e.g., email format checks) and provide a support email for users to request data updates.
Required Actions (scaleup)
- Develop self-service portals allowing users to view and update their own profile data directly, reducing the administrative burden of manual corrections.
Required Actions (enterprise)
- Deploy automated data quality scanning tools that continuously audit databases for stale or malformed records, integrating automated workflows for quarantine and destruction.
RA 10173 requires that all processed personal data be accurate, relevant, complete, and kept up to date in relation to the specifically declared purpose of processing.
The data quality principle, detailed in Rule IV, Section 19(c), dictates that organizations must maintain accurate and relevant data, and must rectify or destroy inaccurate information.
Organizations should implement strict input validation, offer self-service profile management for data subjects, and conduct regular database audits to identify and refresh stale data.
The company must immediately rectify the data, supplement it to make it complete, restrict its further processing, or securely destroy the inaccurate records.
Yes, data subjects have a specific right to dispute inaccuracies, and organizations are legally obligated to correct the errors immediately and notify previous recipients.
Inaccurate or incomplete data must be destroyed or its processing restricted when it cannot be rectified or supplemented to meet the required quality standards for its intended purpose.
It ensures organizations do not make flawed decisions based on bad data, upholds the rights of data subjects, and directly satisfies the statutory principles of processing.
Organizations must document the procedures for receiving correction requests, verifying the data subject's identity, executing the update in the database, and notifying third-party processors.
The designated Data Protection Officer (DPO) and the personal information controller hold primary accountability for ensuring the organization's data quality processes are effective.
CISOs can audit data quality by reviewing input validation rules in system architectures, examining the Data Subject Request logs for correction requests, and testing data lifecycle automation scripts.
Data quality controls often fail because validation rules, correction logs, audit results, and destruction records are scattered across teams. Tools like WatchDog Security's Compliance Center can centralize control evidence, map it to RA 10173 requirements, and help teams identify gaps before an internal review or external assessment.
Procedures for correcting, supplementing, restricting, or destroying inaccurate data need clear ownership, version history, and employee acknowledgment. Tools like WatchDog Security's Policy Management can help maintain approved data quality policies, track acceptance, and preserve a record of updates over time.
"Processing should ensure data quality 1. Personal data should be accurate, relevant and complete with respect to the purpose of processing. 2. Personal data shall be kept up to date when necessary for the declared, specified and legitimate purpose. 3. Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

