Organization

 Privacy Policy
 Certifications

Privacy Policy
Section IV of the National Privacy Commission’s (NPC) Circular 16-03 referring to Personal
Data Breach Management, requires that the complying organization impose a breach
management policy for the purpose of preventing or minimizing the occurrence of a personal
data breach and assure the timely discovery of any security incident. This breach management
policy may be incorporated into the organization’s privacy policy and privacy management
programs that should be set up and properly cascaded amongst the organization’s employees.
One good example of a privacy policy as discussed in the establishment of a data privacy
accountability framework is stated in the study published by Henry Chang, listed in
https://www.nymity.com/data-privacy-
resources/~/media/NymityAura/Resources/Research/Privacy-Accountability-Management-
Framework-For-Data-Controllers-Operating-Across-Asia.pdf. The study included the application
of the proposed data privacy accountability framework under Philippine law, as well as other
Asian countries which have enacted data privacy and protection laws. For the benefit of personal
information controllers and personal information processors, the National Privacy Commission is
currently developing a template that may be used as basis in the drafting of a new privacy policy,
or in the revision of an existing one.

Back To Top
 

Certifications
There is currently no certification process for an organization’s (level of) compliance with the
Data Privacy Act. Nonetheless, the Commission does recommend that organizations obtain
certifications or accreditations vis-à-vis existing international standards, such as those prescribed
by the International Organization for Standardization (ISO), including the following:

 ISO 27000 Family or Information Security Management Systems (ISMS). A

systematic approach to managing sensitive company information that ensures its security.
It includes people, processes and IT systems by applying a risk management process. It
can help businesses of any size keep their information assets secure.
 ISO/IEC 27001:2013. Applicable mainly to organizations that maintain data centers, this
specifies the requirements for establishing, implementing, maintaining, and continually
 improving an information security management system within the context of an
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of an organization. The requirements set
out are generic and are intended to be applicable to all organizations, regardless of type,
size, or nature.
 ISO/IEC 27018:2014. This establishes commonly-accepted control objectives, controls,
and guidelines for implementing measures to protect personal information in accordance
with the privacy principles in ISO/IEC 29100, which, in turn, concerns public cloud
computing environments. It also specifies guidelines based on ISO/IEC 27002, taking
into account the regulatory requirements for the protection of personal information that
might be applicable within the context of the information security risk environment(s) of
a (public) cloud service provider. It may be used by organizations of any type and size,
including public and private companies, government entities, and non-profit
organizations, which provide information processing services as Personal Information
Processors (PIP) via cloud computing under contract to other organizations.

The Commission does not also require certifications for key personnel of personal information
controllers or personal information processors, such as the latter’s Data Protection Officer or
Compliance Officer for Privacy. However, it is considered best practice across jurisdictions for
organizations to properly equip their personnel with appropriate trainings that enable them to
fulfill their specific roles and functions. Some international certifications or trainings commonly
considered for this purpose include:

 Certified Information Systems Auditor (CISA). CISA is a globally recognized

certification for IS audit control, assurance, and security professionals. A person’s CISA
certification attests to his or her audit experience, skills, and knowledge. It demonstrates
ones ability to assess vulnerabilities, report on compliance, and institute controls within a
particular enterprise.
 Certified Information Security Manager (CISM). A management-focused CISM
certification that promotes international security practices and recognizes the individual
who manages, designs, and oversees and assesses an enterprise’s information security.
 Certified in the Governance of Enterprise IT (CGEIT). This certification recognizes a
wide range of professionals for their knowledge and application of enterprise IT
governance principles and practices. A CGEIT certified professional has demonstrated
his or her ability to bring IT governance into an organization, as well as his or her
complete grasp of the complex subject. Thus, he is able to enhance the value of an
enterprise.
 Certified Information Systems Security Professionals (CISSP). The ideal credential
for those with proven deep technical and managerial competence, skills, experience, and
credibility to design, engineer, implement, and manage the overall information security
program of their organization, thereby protecting it from the growing number of
sophisticated attacks.
 GIAC Security Essentials (GSEC). Designed for professionals seeking to demonstrate
their understanding of information security terminology and concepts, and their
possession of skills and technical expertise necessary for “hands-on” security roles.
GSEC credential holders are presumed to demonstrate a knowledge and technical skills in
 various areas (e.g., identifying and preventing common and wireless attacks, access
controls, authentication, password management, DNS, cryptography fundamentals,
ICMP, IPv6, public key infrastructure, Linux, network mapping, and network protocols).
 Project Management Professional (PMP). This certification is touted as the most
important industry-recognized certification for project managers. It signifies that the
holder speaks and understands the global language of project management. It connects
him or her to a community of professionals, organizations and experts worldwide.
Indeed, unlike other certifications that focus on a particular geography or domain, the
PMP is truly global and enables its holder to work in virtually any industry, with any
methodology, and in any location.

While not explicitly required, certifications and/or accreditations allow for a more efficient
verification and monitoring process on the part of the Commission.

Back To Top