Encryption & Data Protection
Plain English Translation
All personal data must be protected using encryption — both at rest and in transit — along with strong authentication controls that limit access to authorized users only. Technical security measures must be designed to preserve the confidentiality, integrity, and availability of personal data at all times. Organizations must keep these controls current as technology and threat landscapes evolve.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Enable full disk encryption on all company laptops and ensure all web traffic uses HTTPS/TLS.
- Enforce strong password policies and enable multi-factor authentication (MFA) on all critical cloud applications.
Required Actions (scaleup)
- Implement database-level encryption for personal data and deploy a centralized identity provider (IdP) for unified authentication.
- Establish formal key management procedures and rotate encryption keys annually.
Required Actions (enterprise)
- Deploy hardware security modules (HSMs) for key management, enforce mutual TLS (mTLS) for microservices, and automate cryptographic compliance scanning.
The Philippines Data Privacy Act requires the implementation of comprehensive organizational, physical, and technical security measures to protect personal data from unauthorized access, alteration, and destruction.
Yes, IRR Section 28(d) explicitly mandates technical security measures such as data encryption during storage (at rest) and while in transit across internal and external networks.
Technical safeguards include data encryption, strong authentication processes, vulnerability assessments, and other logical measures to control and limit access to electronic data.
Organizations must protect computer systems against accidental or unlawful usage and unauthorized access by implementing firewalls, encryption, authentication protocols, and regular security vulnerability assessments.
The National Privacy Commission recommends deploying the most appropriate encryption standards recognized by the information and communications technology industry for both data at rest and data in transit.
Reasonable and appropriate security measures are safeguards that take into account the nature of the personal information, the risks represented by the processing, the size of the organization, and current best practices.
Authentication controls ensure that only accredited and authorized users can access personal data processing systems, thereby satisfying the RA 10173 requirement to prevent unauthorized access.
Sensitive personal information requires heightened security measures, including stringent access limits, mandatory encryption during transport or off-site access, and higher penalties for data breaches.
CISOs can comply by enforcing robust encryption policies, deploying multi-factor authentication, establishing technical vulnerability management, and maintaining secure cryptographic key management lifecycles.
Auditors look for formal encryption policies, technical configuration settings demonstrating TLS/SSL and AES encryption, authentication logs, and vulnerability scan reports.
Data encryption and authentication controls are difficult to prove if evidence is scattered across cloud consoles, identity providers, scan outputs, and policy documents. Tools like WatchDog Security's Compliance Center can centralize control mapping, automate evidence collection, and help teams track whether required security artifacts are current.
RA 10173 technical safeguards should be monitored continuously because TLS settings, MFA enforcement, and cloud storage configurations can drift over time. Tools like WatchDog Security's Posture Management can identify misconfigurations, prioritize remediation, and help teams verify that technical controls remain aligned with policy.
"Technical Security measures such as data encryption, during storage and while in transit, authentication process, and other measures to control and limit access to electronic data should be in place."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

