Logging & Audit Trails

Plain English Translation

Organizations must implement logging and audit trail mechanisms that record all access to, and activity within, information systems containing personal data. Logs must capture alterations, deletions, and additions to records, and must be regularly monitored to detect unauthorized or anomalous activity. Audit trails provide the accountability trail needed to investigate incidents and demonstrate compliance.

Executive Takeaway

Mandates the implementation of automated logging mechanisms to track all access, modifications, and deletions of personal data for accountability and forensic analysis.

ImpactHigh
ComplexityMedium

Why This Matters

  • Provides indispensable forensic evidence required to determine the exact scope and impact of a data breach during an incident investigation.
  • Acts as a powerful deterrent against internal data theft or unauthorized modification by ensuring employee actions are continually monitored.
  • Ensures regulatory alignment with NPC technical requirements, avoiding penalties associated with a lack of processing accountability.

What “Good” Looks Like

  • Centralized, immutable audit logs that capture who accessed what personal data, when, and exactly what changes were made; tools like WatchDog Security's Compliance Center can help connect log evidence to RA 10173 control requirements.
  • Automated alerting rules configured to notify security teams of suspicious access patterns or bulk data deletions.
  • A documented log retention policy that preserves audit trails securely for a period aligned with regulatory and business requirements; tools like WatchDog Security's Policy Management can help manage policy versions and acceptance tracking.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The law requires organizations to implement hardware, software, and procedural mechanisms to record and examine system access, and to actively monitor and track any alterations, deletions, or additions to personal data.

While the IRR does not mandate a specific duration, logs should be securely retained in accordance with the organization's formal data retention policy to adequately support post-incident investigations and ongoing compliance audits.

Access logs should definitively capture the user's identity, the precise timestamp of the event, the specific system or record accessed, and the exact nature of the action (e.g., read, create, update, delete).

Yes, IRR Section 28(c) explicitly requires the monitoring and tracking of any alterations, deletions, or additions made to personal data records within an information system.

Audit trails provide objective, historical evidence of data processing activities, enabling organizations to prove accountability, detect unauthorized behavior, and ensure the overall integrity of personal information.

Required technical measures include data encryption, network protection tools like firewalls, vulnerability assessments, and comprehensive mechanisms to record and audit system access and activity.

Organizations should utilize automated software and database mechanisms that instantly generate immutable log entries for all transactional changes and user access events across their infrastructure.

Designated security personnel, system administrators, or internal auditors should be tasked with periodically reviewing audit logs to proactively detect anomalies, unauthorized access, or potential security breaches.

Yes, comprehensive access logs are strictly required for all information systems containing personal data, with heightened scrutiny and monitoring expected for environments processing sensitive personal information.

Audit logs act as crucial forensic evidence, allowing incident response teams to accurately determine the root cause, identify the specific data compromised, and establish a precise timeline of the breach.

Audit logging controls often fail because teams cannot consistently prove that logs are enabled, reviewed, and retained. Tools like WatchDog Security's Compliance Center can help map log-review records, audit logging policies, and evidence artifacts to RA 10173 control requirements so gaps are easier to identify and remediate.

Audit trails depend on both clear procedures and correctly configured systems. Tools like WatchDog Security's Policy Management can help maintain version-controlled audit logging and log retention policies, while WatchDog Security's Posture Management can help identify misconfigurations that weaken logging coverage or monitoring readiness.

PHILIPPINES-DPA IRR Section 28(c)

"Hardware, software, and procedural mechanisms to record and examine access and other activity in information systems containing personal data, including the monitoring and tracking of any alterations, deletions or additions made to records shall be implemented."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication