Privacy Management Program
Plain English Translation
Every organization processing personal data must establish and maintain a formal Privacy Management Program that documents its data processing systems, assigns clear accountability, and outlines how data subject rights are upheld. The program must include a privacy policy covering purpose, data flows, governance structure, and the procedures for data subjects to exercise their rights. The DPO is responsible for implementing, maintaining, and regularly reviewing this program.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Draft a basic internal privacy policy and public-facing privacy notice outlining data collection purposes.
- Set up a dedicated email address for data subject requests and complaints, monitored by the assigned compliance officer.
Required Actions (scaleup)
- Develop a comprehensive Data Privacy Manual detailing data flows, role-based access requirements, and breach response protocols.
- Implement a formal tracking system or ticketing board for logging and resolving data subject rights requests within statutory timelines.
Required Actions (enterprise)
- Establish an automated privacy management platform that tracks consent, maps data inventory dynamically, and integrates privacy by design into the software development lifecycle.
- Conduct regular internal audits of the privacy program and execute continuous capacity-building training for all personnel handling sensitive data.
It is an organizational framework encompassing policies, procedures, and governance structures designed to ensure compliance with RA 10173, protect personal data, and facilitate the exercise of data subject rights.
Rule VI, Section 26 requires organizations to assign an accountable DPO, describe data processing systems, map data flows, define personnel duties, and maintain transparent privacy policies.
Companies comply by establishing a comprehensive privacy management program, appointing a DPO, implementing security measures, conducting impact assessments, and facilitating data subject rights.
A privacy manual should include the purpose of data collection, data flows, descriptions of the data processing systems, security measures implemented at each stage, and the governance accountability structure.
The organization's designated Data Protection Officer (DPO) or privacy compliance officer is responsible for planning, implementing, and evaluating the policies and programs for data privacy and security.
The NPC expects organizations to 1) Appoint a DPO, 2) Conduct Privacy Impact Assessments, 3) Create a Privacy Management Program and Manual, 4) Implement Data Security Measures, and 5) Establish Breach Reporting Procedures.
Yes, under the Implementing Rules and Regulations Section 26(b), any natural or juridical person involved in processing personal data must establish an accountability structure and a privacy policy describing their processing.
Organizations must implement formal policies and procedures allowing data subjects to exercise their rights, which includes clear pathways for submitting, reviewing, and resolving privacy-related complaints and requests.
Evidence includes a documented Data Privacy Manual, a public Privacy Policy, training records, internal audit reports, DPO appointment documents, and logs of handled data subject requests and incidents.
Section 26(f) mandates that organizations put in place procedures for regular review, evaluation, and updating of their privacy and security policies, typically conducted annually or when significant operational changes occur.
Privacy management programs become difficult to sustain when policies, evidence, audits, and corrective actions are tracked across disconnected files. Tools like WatchDog Security's Compliance Center can help centralize framework requirements, map controls to evidence, identify gaps, and maintain a clearer record of ongoing RA 10173 compliance activities.
Privacy policies need version control, periodic review, and proof that employees have received and accepted the latest requirements. Tools like WatchDog Security's Policy Management can help manage policy templates, track revisions, collect employee acknowledgements, and preserve audit-ready records for privacy governance.
"Any natural or juridical person or other entity involved in the processing of personal data shall sufficiently describe its data processing system, and identify duties and responsibilities of those who will have access to personal data. The privacy policy should include: Information about the purpose... Information about the data flow... A description of data processing system... A governance and accountability structure..."
"Policy and procedure for data subjects to exercise their rights under the Data Privacy Act, including the right of notification, access, correction, or withdrawal of any consent previously given pertaining to the processing of their personal data;"
"Any natural or juridical person or other entity involved in the processing of personal data shall adopt a quality management program and put in place procedures for review and monitoring, including... Policy for documentation, regular review, evaluation and updating of the privacy and security policies and practices."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

