Philippines: Entry into force of Implementing Rules and Regulation of the Data Privacy Act of 2012 including cybersecurity regulation

On 9 September 2016, the Implementing Rules and Regulations of the Data Privacy Act of 2012 entered into force, including cybersecurity regulation. The Rules are applicable to any processing of personal data of Philippine citizens. The Rules mandate all data controllers to implement organisational, physical and technical security measures aimed at protecting the availability, integrity and confidentiality of personal data. The Rules provide detailed information on what such security measures should look like. Specifically, organisational measures include the designation of compliance officers, the writing of data protection policies and the maintenance of a record-keeping system. Physical measures concern the design of office spaces as well as the publication of policies. Additionally, the Rules stipulate that technical measures refer to the protection of technical systems and computer networks against accidental, unlawful or unauthorised usage. Lastly, the Rules state that the National Privacy Commission is tasked with monitoring the compliance of such measures. The Rules also stipulate the fines for any breaches of the regulations.