System Integrity & Availability
Plain English Translation
Technical measures must be in place to ensure personal data systems remain available and that data integrity is maintained against accidental loss, corruption, or interference. This includes resilience mechanisms such as backups, redundancy, and disaster recovery capabilities. System availability is a core obligation — disruptions that prevent access to or corrupt personal data are a compliance failure under the Act.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Enable automated daily snapshots for critical cloud databases and ensure basic anti-malware protections are deployed on servers.
Required Actions (scaleup)
- Implement cross-region data replication, deploy DDoS protection for public endpoints, and conduct annual tabletop disaster recovery exercises.
Required Actions (enterprise)
- Establish active-active high-availability infrastructure architectures, utilize immutable backup storage, and perform fully automated quarterly failover testing.
RA 10173 requires organizations to implement reasonable and appropriate organizational, physical, and technical measures intended to protect personal data against accidental or unlawful destruction, alteration, and unauthorized access.
System integrity refers to maintaining the accuracy, consistency, and completeness of personal data, while availability ensures the data remains continuously accessible and usable for authorized processing when needed.
While the law is technology-neutral, it mandates reasonable and appropriate technical safeguards to ensure availability. Industry best practices require automated, regular, and securely stored backups capable of restoring operations.
Organizations protect availability by deploying highly redundant infrastructure, maintaining regular and isolated data backups, implementing disaster recovery plans, and utilizing technical anti-interference tools like DDoS mitigation.
Key technical controls include encryption, network firewalls, automated vulnerability scanning, strict access control mechanisms, malware protection, and automated secure backup systems.
Yes, the mandate to safeguard data availability and protect computer networks against disruptive interference implicitly requires formal disaster recovery and business continuity plans to ensure rapid restoration of operations.
Companies must deploy robust perimeter defenses, intrusion prevention systems, file integrity monitoring, and advanced anti-malware solutions to swiftly detect and block malicious traffic or unauthorized system alterations.
Auditors will look for backup configuration settings, historical disaster recovery testing records, system uptime and SLA reports, and formally approved business continuity policy documents.
While the law generally mandates 'regular assessment', aligning with industry standard security practices requires organizations to physically test data backups and recovery procedures at least quarterly or annually.
Reasonable and appropriate safeguards are security controls precisely tailored to address the specific risks of the processing, the sensitivity of the personal information, the size of the organization, and current industry standards.
Availability controls are only useful for compliance when they are consistently documented and reviewable. Tools like WatchDog Security's Compliance Center can help map backup configurations, disaster recovery tests, uptime reports, and related evidence to the relevant RA 10173 control requirements.
System integrity and availability can be weakened by cloud misconfigurations, exposed services, missing protections, or insecure infrastructure settings. Tools like WatchDog Security's Posture Management can help detect these issues across environments and provide remediation guidance before they affect personal data systems.
"Personal information controllers shall have in place technical and logical security measures for data protection, intended to safeguard the availability, integrity and confidentiality of personal data."
"Personal data in a computer network should be protected against risks such as accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder functioning or availability of system, and unauthorized access transmitted over an electronic network."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

