Sec Reg No. 2025070211237-03
BIR No. 010-918-455-000

Contact Us

Join UsBe part of a community that champions data privacy and cybersecurity in the Philippines. At Philippine Data Guardians, we believe that protecting personal data and promoting responsible digital practices is a shared responsibility. By joining us, you take an active role in shaping a safer, more secure digital environment for everyone.Who Can Join?
We welcome individuals, professionals, organizations, and advocates who share our mission of advancing data protection and compliance.What is a Member?A Member is someone who actively participates in our community to learn, share, and implement best practices in data privacy and cybersecurity. As a member, you will:Gain access to exclusive resources, toolkits, and learning materials.Receive updates on data privacy trends, news, and events.Join forums, discussions, and capacity-building sessions.What is an Advocate?An Advocate goes beyond membership by becoming a voice for data privacy and security in their organization or community. Advocates help spread awareness, influence policies, and encourage responsible data handling. As an advocate, you will:Represent our cause in your professional network or local community.Lead initiatives that promote compliance and data protection.Collaborate with other advocates to drive change at a larger scale.

PIA

How to Perform a Privacy Impact Assessment (PIA)

In today’s digital-first environment, protecting personal data is not only a legal duty — it’s a foundation of public trust. Conducting a Privacy Impact Assessment (PIA) helps organizations in the Philippines uphold their responsibilities under Republic Act No. 10173 (Data Privacy Act of 2012) and prepare for potential privacy risks in their projects and systems.

Why PIAs Matter in the Philippine Setting?


Republic Act No. 10173, commonly referred to as the Data Privacy Act of 2012, mandates that entities implement measures to guarantee transparency, lawful processing, and the protection of data subjects’ rights.
Risk Management: A privacy impact assessment (PIA) identifies vulnerabilities within your data lifecycle before potential harm occurs.
Stakeholder Confidence: Conducting a PIA demonstrates to clients, citizens, and partners that you prioritize privacy and data protection.

When Should You Conduct a PIA?

Under NPC guidelines, a PIA is recommended whenever your organization plans to:

‣Launch a system involving automated or large-scale personal data processing.
‣Use or adopt new technologies (e.g., biometrics, AI, surveillance).
‣Make significant changes to how personal data is collected or processed.
‣Share personal data with third parties or cross-border recipients.

A good practice is to treat PIAs not as one-time tasks, but as living tools — to be updated whenever changes in processing occur.

Step-by-Step Guide to Performing a PIA


Step 1: Define the Scope and Purpose

Start by identifying:

‣What is the system/project?
‣What personal data will be involved (e.g., names, addresses, IDs, biometric data)?
‣What are the goals, legal bases, and expected outcomes?

Tip: Align your purpose with the general data privacy principles — transparency, legitimate purpose, and proportionality.

Step 2: Map the Data Flow

Trace how personal data will move through your system.

Consider:
‣Where and how is data collected (e.g., online forms, kiosks)?
‣Where is it stored (e.g., local servers, cloud)?
‣Who has access?
‣Is it transferred externally (e.g., to a vendor or agency)?
‣Create a flowchart to visualize these steps, this helps reveal where risks may appear.

Step 3: Identify and Analyze Risks

Ask:

‣Could this project expose data subjects to harm (e.g., identity theft, profiling)?
‣Are there technical or organizational gaps (e.g., poor encryption, lack of policies)?
‣Use both qualitative and quantitative tools (e.g., surveys, threat modeling, impact scoring) to assess potential threats.

Step 4: Evaluate Current Controls

Review existing safeguards:

‣Are there access restrictions?
‣Are personal data encrypted or anonymized?
‣Are there policies on data retention, breach reporting, or incident response?

This step lets you check whether current safeguards are adequate or if enhancements are needed.

Step 5: Recommend and Plan Mitigation

For each risk, propose risk-reduction strategies:

‣Add authentication or encryption protocols
‣Update consent and privacy notices
‣Train staff in proper data handling
Minimize data collection when not essential
‣Consider the proportionality principle only collect what’s necessary.
Step 6: Document and Implement Measures

Compile your findings and recommendations into a formal PIA report. This becomes part of your privacy management program and may be reviewed by the Data Protection Officer (DPO) or shared with the NPC, if needed.

Make sure:

‣Key staff understand their roles
‣Policies and systems are updated
‣Monitoring mechanisms are in place

Step 7: Monitor, Review, and Update

Privacy risks evolve. After implementation:
‣Schedule periodic reviews
‣Re-assess when new tools or vendors are introduced
‣Adjust based on emerging threats or regulatory updates

The NPC recommends regular updates, especially when processing practices change.

A well-executed Privacy Impact Assessment strengthens your organization’s privacy posture, supports regulatory compliance, and builds public trust. Whether you're in government, the private sector, or civil society, conducting PIAs ensures you're protecting not only personal data — but also the dignity and rights of every Filipino.

Looking for a Template or Tool?
Contact Philippine Data Guardians for downloadable templates and automated Privacy Impact Assessment PIA) tools tailored to the Data Privacy Act of 2012.