WikiFrameworksPhilippines DPA (2012)Mandatory Breach Notification

Mandatory Breach Notification

Plain English Translation

Organizations must notify the National Privacy Commission and affected data subjects within 72 hours of becoming aware of a security breach involving sensitive personal information that could give rise to a real risk of serious harm. The notification must describe the nature of the breach, the data involved, and the steps taken to contain and address it. Intentionally concealing a known breach is a criminal offence under RA 10173, punishable by imprisonment and fines.

Executive Takeaway

Mandates notifying the National Privacy Commission and affected subjects within 24 hours of discovering a high-risk data breach.

ImpactHigh
ComplexityHigh

Why This Matters

  • Ensures regulatory compliance with the NPC's strict 24-hour reporting window, avoiding massive fines for breach concealment.
  • Allows affected data subjects to take timely protective measures against identity fraud and other serious financial harms.
  • Demonstrates organizational accountability and transparency during critical security incidents, preserving long-term public trust.

What “Good” Looks Like

  • A documented incident response plan that includes a specific, rehearsed 24-hour NPC notification workflow; tools like WatchDog Security's Compliance Center can keep related evidence, owners, and review tasks tied to the control.
  • Pre-drafted notification templates for communicating effectively with both the regulatory authority and affected individuals.
  • A formal internal triage process to rapidly evaluate if an incident poses a real risk of serious harm; tools like WatchDog Security's Risk Register can record harm-risk decisions, treatment plans, and executive reporting inputs.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

The mandatory breach notification requires organizations to inform the National Privacy Commission and affected data subjects within 24 hours when a severe data breach occurs.

A breach must be reported within 24 hours upon knowledge of or reasonable belief that a qualifying security breach has occurred.

Notification is required when a breach involves sensitive personal information or data enabling identity fraud, and poses a real risk of serious harm to data subjects.

Both the National Privacy Commission (NPC) and the affected data subjects must be notified if the breach meets the legal notification thresholds.

Organizations must notify the NPC within exactly 24 hours of discovering or reasonably believing that a qualifying data breach has taken place.

The notification must describe the nature of the breach, the sensitive personal data involved, mitigation measures taken, and contact details for further assistance.

It is a threshold determined by assessing if the unauthorized acquisition of data is highly likely to result in significant financial, reputational, or physical damage to the data subject.

No, notification is only legally mandated if the breach of sensitive personal data also poses a real risk of serious harm to the affected individuals.

Organizations must notify individuals using clear language, detailing the breach, mitigation steps they can take, and providing a dedicated contact for assistance.

Concealment of a data breach involving sensitive personal information can result in imprisonment of 1.5 to 5 years and a fine up to Php,000,000.

The hardest part of this control is coordinating legal, security, and executive actions fast enough to meet the 24-hour window. Tools like WatchDog Security's Compliance Center can help teams assign owners, track required evidence, and keep breach notification tasks linked to the applicable RA 10173 control.

Organizations need to show why a breach did or did not meet the real-risk-of-serious-harm threshold. Tools like WatchDog Security's Risk Register can help document risk scoring, treatment decisions, accountable owners, and board-level reporting context for breach-related risks.

PHILIPPINES-DPA IRR Section 38(a)

"The Commission and affected data subjects shall be notified within 24 hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a security breach has occurred. Security breach subject of notification under this subsection shall be when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject."

PHILIPPINES-DPA IRR Section 39

"The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. The notification to the data subject should also include measures taken to reduce negative consequence..."

PHILIPPINES-DPA IRR Section 58

"The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission... intentionally or by omission conceals the fact of such security breach."

VersionDateAuthorDescription
1.0.02026-05-06WatchDog GRC TeamInitial publication