Mandatory Breach Notification
Plain English Translation
Organizations must notify the National Privacy Commission and affected data subjects within 72 hours of becoming aware of a security breach involving sensitive personal information that could give rise to a real risk of serious harm. The notification must describe the nature of the breach, the data involved, and the steps taken to contain and address it. Intentionally concealing a known breach is a criminal offence under RA 10173, punishable by imprisonment and fines.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define a basic incident response checklist and identify the primary legal point of contact responsible for NPC reporting.
Required Actions (scaleup)
- Implement automated alerting for data exfiltration and formalize a triage matrix to evaluate harm risk within hours of detection.
Required Actions (enterprise)
- Conduct continuous tabletop exercises involving legal, PR, and technical teams to ensure strict 24-hour SLA readiness for NPC notification.
The mandatory breach notification requires organizations to inform the National Privacy Commission and affected data subjects within 24 hours when a severe data breach occurs.
A breach must be reported within 24 hours upon knowledge of or reasonable belief that a qualifying security breach has occurred.
Notification is required when a breach involves sensitive personal information or data enabling identity fraud, and poses a real risk of serious harm to data subjects.
Both the National Privacy Commission (NPC) and the affected data subjects must be notified if the breach meets the legal notification thresholds.
Organizations must notify the NPC within exactly 24 hours of discovering or reasonably believing that a qualifying data breach has taken place.
The notification must describe the nature of the breach, the sensitive personal data involved, mitigation measures taken, and contact details for further assistance.
It is a threshold determined by assessing if the unauthorized acquisition of data is highly likely to result in significant financial, reputational, or physical damage to the data subject.
No, notification is only legally mandated if the breach of sensitive personal data also poses a real risk of serious harm to the affected individuals.
Organizations must notify individuals using clear language, detailing the breach, mitigation steps they can take, and providing a dedicated contact for assistance.
Concealment of a data breach involving sensitive personal information can result in imprisonment of 1.5 to 5 years and a fine up to Php,000,000.
The hardest part of this control is coordinating legal, security, and executive actions fast enough to meet the 24-hour window. Tools like WatchDog Security's Compliance Center can help teams assign owners, track required evidence, and keep breach notification tasks linked to the applicable RA 10173 control.
Organizations need to show why a breach did or did not meet the real-risk-of-serious-harm threshold. Tools like WatchDog Security's Risk Register can help document risk scoring, treatment decisions, accountable owners, and board-level reporting context for breach-related risks.
"The Commission and affected data subjects shall be notified within 24 hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a security breach has occurred. Security breach subject of notification under this subsection shall be when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject."
"The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. The notification to the data subject should also include measures taken to reduce negative consequence..."
"The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission... intentionally or by omission conceals the fact of such security breach."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

