On 30 March 2024, the National Privacy Commission (NPC) Circular 2023-06 Security of Personal Data in the Government and Private Sector entered into force. The Circular provides updated requirements for the security of personal data processed by personal information controllers (PICs) or personal information processors (PIPs). The requirements include the designation and registration of a data protection officer, the registration of data processing systems, conducting privacy impact assessments (PIAs), implementing a privacy management program, training personnel periodically on privacy and data protection policies, and compliance with the orders of the NPC. Furthermore, personal data must be stored as long as deemed necessary and appropriate based on best practices and industry standards. Lastly, PICs and PIPs must implement a business continuity plan that mitigates potential disruptive events. The plan must include personal data backups, restoration, business impact assessment, and a crisis communications plan.
Original source