Any organization that processes personal data — especially if the activity is likely to pose a high risk to individuals’ privacy — should conduct a Privacy Impact Assessment (PIA).

This includes:

Government agencies and LGUs

Schools and universities

Hospitals and healthcare providers

Private companies handling large-scale or sensitive data

NGOs managing beneficiary data

The Data Protection Officer (DPO) usually leads the PIA, with input from IT, legal, HR, and management teams.

RA 10173, also known as the Data Privacy Act of 2012, is the Philippines’ comprehensive privacy law.

It aims to:

Protect the fundamental right to privacy

Regulate the processing of personal data in public and private sectors

Establish the National Privacy Commission (NPC) as the enforcing authority

The law applies to any person or organization that collects, uses, or stores personal information — whether manually or digitally.

Yes. All Local Government Units (LGUs) are required to appoint a Data Protection Officer (DPO) under NPC Circular 2017-01 and comply with RA 10173.

The DPO is responsible for:

Ensuring data privacy policies and practices are in place

Conducting PIAs on local programs (e.g., health, education, profiling systems)

Overseeing breach response and data subject rights

Even barangays that process personal data should designate someone as DPO or Compliance Officer for Privacy (COP).

Yes — all organizations, regardless of size, are covered by RA 10173 if they process personal data.

Even small NGOs handling:

Donor information

Beneficiary profiles

Monitoring & evaluation data

must ensure privacy compliance.

Failure to follow the law may result in:

Fines of ₱500,000 to ₱5 million

Criminal penalties, including imprisonment

Revocation of permits or licenses for repeat violations

The good news: small organizations are encouraged to start with basic compliance steps — like appointing a DPO, registering with the NPC, conducting PIAs, and creating privacy notices.