WikiFrameworksPhilippines DPA (2012)Encryption & Data Protection

Encryption & Data Protection

Plain English Translation

All personal data must be protected using encryption — both at rest and in transit — along with strong authentication controls that limit access to authorized users only. Technical security measures must be designed to preserve the confidentiality, integrity, and availability of personal data at all times. Organizations must keep these controls current as technology and threat landscapes evolve.

Executive Takeaway

Mandates the implementation of encryption and strong authentication to secure personal data at rest and in transit.

ImpactHigh
ComplexityHigh

Why This Matters

  • Encryption renders stolen or leaked data unreadable, functioning as a critical fail-safe against data breaches.
  • Ensures regulatory alignment with NPC technical security standards, reducing the risk of severe financial penalties.
  • Strong authentication protocols drastically lower the risk of unauthorized access via compromised credentials.

What “Good” Looks Like

  • All sensitive personal information is encrypted both at rest (e.g., AES-256) and in transit (e.g., TLS 1.2+); tools like WatchDog Security's Posture Management can help detect weak encryption, insecure TLS, or exposed storage configurations.
  • Multi-factor authentication (MFA) is strictly enforced for all user access to data processing systems, with evidence tracked through tools like WatchDog Security's Compliance Center for audit readiness.
  • A formalized cryptographic key management procedure securely governs the lifecycle of all encryption keys.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The Philippines Data Privacy Act requires the implementation of comprehensive organizational, physical, and technical security measures to protect personal data from unauthorized access, alteration, and destruction.

Yes, IRR Section 28(d) explicitly mandates technical security measures such as data encryption during storage (at rest) and while in transit across internal and external networks.

Technical safeguards include data encryption, strong authentication processes, vulnerability assessments, and other logical measures to control and limit access to electronic data.

Organizations must protect computer systems against accidental or unlawful usage and unauthorized access by implementing firewalls, encryption, authentication protocols, and regular security vulnerability assessments.

The National Privacy Commission recommends deploying the most appropriate encryption standards recognized by the information and communications technology industry for both data at rest and data in transit.

Reasonable and appropriate security measures are safeguards that take into account the nature of the personal information, the risks represented by the processing, the size of the organization, and current best practices.

Authentication controls ensure that only accredited and authorized users can access personal data processing systems, thereby satisfying the RA 10173 requirement to prevent unauthorized access.

Sensitive personal information requires heightened security measures, including stringent access limits, mandatory encryption during transport or off-site access, and higher penalties for data breaches.

CISOs can comply by enforcing robust encryption policies, deploying multi-factor authentication, establishing technical vulnerability management, and maintaining secure cryptographic key management lifecycles.

Auditors look for formal encryption policies, technical configuration settings demonstrating TLS/SSL and AES encryption, authentication logs, and vulnerability scan reports.

Data encryption and authentication controls are difficult to prove if evidence is scattered across cloud consoles, identity providers, scan outputs, and policy documents. Tools like WatchDog Security's Compliance Center can centralize control mapping, automate evidence collection, and help teams track whether required security artifacts are current.

RA 10173 technical safeguards should be monitored continuously because TLS settings, MFA enforcement, and cloud storage configurations can drift over time. Tools like WatchDog Security's Posture Management can identify misconfigurations, prioritize remediation, and help teams verify that technical controls remain aligned with policy.

PHILIPPINES-DPA IRR Section 28(d)

"Technical Security measures such as data encryption, during storage and while in transit, authentication process, and other measures to control and limit access to electronic data should be in place."

PHILIPPINES-DPA IRR Section 28(a)

"Personal information controllers shall have in place technical and logical security measures for data protection, intended to safeguard the availability, integrity and confidentiality of personal data."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication