On NPC Advisory 2025-02: RSM Philippines' Practical Playbook to Turn “Privacy-by-Design” into Business-as-Usual

Executive Takeaway 

For executives who barely have time to sift through everything that’s happening, here’s your two-minute takeaway:  
 

• The National Privacy Commission (NPC) now sets explicit, phase-by-phase expectations for embedding privacy engineering across the entire systems life cycle –planning, design, testing, deployment, and operations and maintenance.  
• Organizations must continue to run Privacy Impact Assessments (PIA) regularly (at least annually) and again whenever there are major system changes, new vendors, or changes in purpose/scope.  
• System development and delivery teams are expected to implement privacy-by-default settings, avoid deceptive design patterns, enable data subject rights in-product, and adopt “privacy-enhancing technologies (PETs)”, encryption, access control, disaster recovery, and traceability.  
• This NPC advisory brings the Philippines in line with international best practices, reflecting principles found in GDPR Article 25 (privacy by design/default) and Article 35 (DPIAs), as well as approaches promoted by ENISA’s Data Protection Engineering guidance and the NIST Privacy Framework.

Action Point: Executive Teams should schedule time with their Data Protection Officer (DPO) and IT Teams, especially if your organization is developing and delivering software and IT systems that process personal data. 

 
Technical Takeaways 

For our privacy professionals and IT system developers, administrators, and auditors, here’s some nuggets from our reading of NPC Advisory 2025-02. 
NPC’s advisory makes it clear: privacy is not a checkbox, it’s a commitment throughout the entire system life cycle. It emphasizes privacy-by-design and privacy-by-default, applied across five phases: 
 

• Planning and Requirements Gathering – Begin with a PIA. Clearly define what personal data is truly necessary and avoid over-collection.  Take note that PIAs need to be performed when: 
   
  o     Major system updates or enhancements are released 
  o     New vendor or third-party processor is engaged 
  o     Changes in nature, scope, extent, or purpose of processing 
  o     Annually, even when there are no changes to the system

• Designing and Development – Build privacy into the system. Apply safeguards like PETs, encryption, pseudonymization, role-based access, and secure coding practices.  Avoid deceptive design patterns. 

 
Deceptive design patterns, also known as “dark patterns” are interface tactics that steer, nudge, or pressure people into choices they would typically not freely make, especially around consent, settings, and data sharing.  
 

Common forms include pre-ticked boxes or opt-outs buried behind extra clicks; confusing toggles that invert meaning; “nagging” prompts that keep reappearing until users relent; bundling multiple consents into an all-or-nothing choice; obstructing cancellation, deletion, or opt-out; and defaulting to public profiles or location tracking.  
 

The NPC has explicit guidance banning such patterns and, under the new privacy engineering advisory, requires organizations to avoid deceptive design patterns when deploying systems and to present clear, concise privacy notices with privacyprotective defaults.  
 

Practically, this means “neutral choice architecture” (i.e., there is no preselected consent), simpler paths to refuse or withdraw consent, one-step account closure/data-deletion where feasible, and auditability of the user’s choices. 
 

• Testing and Evaluation – Validate that privacy features work as intended. Check consent flows, access restrictions, and run security tests to uncover vulnerabilities before launch.
• Deployment and Integration – Roll out responsibly. Provide transparent privacy notices, obtain valid consent, and set safe, privacy-protective defaults.
• Operation and Maintenance – Privacy does not end at launch. Continuously monitor, audit, and update privacy controls as systems evolve and new risks appear.   
   

Involve your internal audit / IT audit teams in ensuring that the systems remain compliant with privacy requirements and aligned with principles. Conduct annual audits in conjunction with the internal audit plans.  

Tip: For those with Information Security Management System (ISMS) implementations, consider these for the regular internal audits for efficiency. 

Finally, for DPOs and system administrators, embed metrics that you monitor weekly, monthly, and quarterly.  Use these to gain comfort that the data processing systems are continuously aligned with privacy principles and comply with NPC requirements.  Some metrics you may want to consider:  

• % of systems with documented privacy-by-design decisions at each Systems Development Lifecycle (SDLC) gate;  
• Mean time to fulfill access, correction, or deletion requests as they relate to the system;  
• % of user journeys that passed “dark-pattern” checks (to enforce avoidance of deceptive design patterns).
• % of systems with PETs, encryption, traceability enabled; or,
• PIA coverage, i.e., annual completion rate and time from trigger to PIA.  
   

Tip: Provide visibility to these metrics to your senior leadership team on a monthly or quarterly basis to reinforce accountability and embed privacy practices into the culture of the organization. Tone from the top is critical in sustaining a privacy-first mindset. 

Each stage connects to the next, reinforcing the idea that protecting personal data is not a one-time task but an ongoing responsibility. 

How RSM Philippines helps privacy, IT, and audit teams 

The NPC’s Advisory No. 2025-02 provides organizations with a clearer path toward privacy conscious systems. For those handling personal data, now is the time to reflect: 

• Are privacy safeguards built into every stage of our systems?
• Do we have a way to regularly evaluate and update them? 

Turning guidelines into action is the next step, whether through internal reviews or independent audits, to make sure privacy is truly at the heart of your systems.  We typically help organizations in this space in the following ways:

• Privacy-by-Design Sprints – we design a rapid PIA playbook and join your product or system sprint sessions to ensure privacy is embedded in the design and development process;  
• Consent and UX Clean-up – we redesign notices and consent forms to eliminate dark patterns and align with privacy-by-default;  
• Privacy Technology Enablement – we help design blueprints to leverage privacy-enhancing technologies, mechanisms, and processes, review API management and lifecycles, assess development pipeline-integrated scans, and perform IT audit and technical security checks to  validate that privacy safeguards are built in and consistently applied.
• Privacy Breach Runbook Design and Simulation – we design or review your breach runbooks and simulate breach scenarios to ensure preparedness of your teams. We can help embed this in a disaster recovery or resilience simulation.

   
(Take our resilience assessment if you have a specific concern on breach readiness: https://forms.office.com/r/Cc4erz0s6p This survey will provide an assessment of your current state of resilience readiness and identify execution pain points. You will receive customized Resilience Readiness Scorecard which you can use to compare against our resilience maturity framework.) 

• Annual PIA support and privacy audits – we help conduct and update PIAs and run regular audits to stay compliant, manage risks early, and keep controls effective as systems change. 

Contact us 

Privacy should not be an afterthought. It must be integrated and sustained throughout a system’s life cycle.  We can help your organization align with the NPC’s new guidelines and ensure you continuously protect and uphold the privacy rights of your employees and customers.  
 

Kate S. Cabañero - [email protected]
Airiesh L. Mantuano - [email protected]
Elizer P. Betinol - [email protected]
Judy Ann B. Aguinillo - [email protected]
Glenn William Alcala - [email protected]