Data Security Compliance with NPC Circular 2023-06
Thales can help organizations in the Philippines protect personal data and comply with the guidelines with a Data-centric Security approach.
On April 1, 2024, the National Privacy Commission (NPC) issued Circular 2023-06 to strengthen personal data protection in the Philippines by governing the security of personal data in the government and private sector. The NPC Circular 2023-06 for the Security of Personal Data in the Government and Private Sector provides updated requirements for the security of personal data.
As one of the leaders in data security, Thales enables organizations to comply with this circular in some key sections by recommending the appropriate data security and identity management technologies.
Regulation Overview
The NPC Circular 2023-06 for the Security of Personal Data in the Government and Private Sector provides updated requirements for the security of personal data processed by a personal information controller (PIC) or a personal information processor (PIP). The Circular also sets provisions on the storage of personal data, ensuring data subjects’ information is stored for the necessary duration and protected through industry standards and best practices.
Additionally, the Circular outlines stringent provisions for access to personal data, specifying procedures for authorized personnel, acceptable use policies, secure authentication mechanisms, and measures for remote disconnection or deletion of data on mobile devices, among others.
Penalties
Violating the Circular may result in the issuance by the NPC of compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the processing of personal data, or payment of fines against the PIC or PIP. In addition, failure to comply with the Circular may result in criminal, civil and administrative liabilities and disciplinary sanctions against any erring officer or employee of the PIC or PIP. There is a transitory period of 12 months from the effectivity of the Circular or until 30 March 2025 to comply with the foregoing requirements.
Thales helps organizations comply with Circular 2023-06 by addressing some of the sections on Privacy Impact Assessment (PIA), Control Framework for Data Protection, Privacy-By-Design and Privacy-By-Default, Storage, Access and Disposal of Personal Data.
NPC Circular 2023-06 | Thales Solutions |
---|---|
2.1 Data Classification | |
SECTION 5. Privacy Impact Assessment (PIA) - a data inventory | A crucial step is understanding what constitutes sensitive data, where and how it is stored, and who can access it, and introducing data activity monitoring. CipherTrust Data Discovery & Classification discovers and classifies data in all the data stores in an organization’s data estate, from structured to semi-structured to unstructured across on-premises, hybrid, cloud, and multi-cloud environments. This visibility enables organizations to build a robust data privacy and security foundation. Imperva Data Security Fabric Data Activity Monitoring (DAM) is a comprehensive solution that not only classifies and discovers valuable data but also provides proactive controls, predictive analytics, and security assessments, enabling centralized command across file stores, assets, and multiple clouds.
|
SECTION 6. Control Framework for Data Protection | Imperva Data Security Fabric Data Activity Monitoring (DAM) is a continuous monitoring system that provides detailed audit trails for various data storage platforms, including relational databases, NoSQL databases, mainframes, big data platforms, and data warehouses, and automatically captures detailed data activity for auditing purposes. |
RULE II: EMBEDDING PRIVACY-BY-DESIGN AND PRIVACY-BY-DEFAULT | |
SECTION 7. Privacy-By-Design and Privacy-By-Default | Organizations can secure sensitive data privacy by design with Thales Tokenization and Transparent Encryption. CipherTrust Tokenization permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data without exposing sensitive data during the analysis or in reports. CipherTrust Transparent Encryption encrypts sensitive data and enforces granular privileged-user-access management policies, providing a separation of roles. Organizations can add Multi-Factor Authentication (MFA) for additional protection, limiting privileged users' access. |
RULE III. STORAGE OF PERSONAL DATA | |
SECTION 10. Service Provider as Personal Information Processor SECTION 11. Protection of Personal Data. | CipherTrust Data Security Platform offers various data protection features, including Transparent Encryption at the file system layer, ransomware protection using real-time behavior monitoring, database protection with key management, and application layer libraries for C and Java. It also provides a gateway for encryption without modifying application code. Organizations can enhance protection of sensitive data by masking them with CipherTrust Data Security Platform through below:
|
RULE IV. ACCESS TO PERSONAL DATA | |
SECTION 12. Access to or Modification of Databases. SECTION 13. Restricted Access. SECTION 16. Online Access to Personal Data. | Imperva Data Security Fabric Data Risk Analytics monitors data access and activity for all databases, providing visibility to identify risky data access for all users, including privileged users. It delivers real-time alerting and user access blocking of policy violations, while retaining years of data for audits. Thales Identity and Access Management Solutions limit access based on roles and context, while Thales SafeNet Trusted Access CipherTrust Transparent Encryption (CTE) controls access to restricted information by encrypting sensitive data and enforcing granular privileged-user-access management policies. Thales Identity and Access Management Solutions limit access based on roles and context, while Thales SafeNet Trusted Access manages access to cloud services and enterprise applications. |
RULE VII. GUIDELINES FOR DISPOSAL OF PERSONAL DATA | |
SECTION 28. Disposal and Destruction of Personal Data. SECTION 29. Logs Retention. SECTION 30. Procedures for Disposal and Destruction. SECTION 31. Personal Data Disposal Service Provider. | CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenization offer a "crypto-shreds" function that destroys the encryption key for the encrypted data and ensures that the information cannot be restored. CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments, ensuring secure asset disposal and effective deletion of encrypted information using FIPS 140-2-compliant virtual or hardware appliances. |
RULE VIII. MISCELLANEOUS PROVISIONS | |
SECTION 32. Threat monitoring and vulnerability management. | Threat monitoring is one crucial capability for organizations to prevent, detect, and respond to a cyberattack. Imperva Data Security Fabric and Thales CipherTrust Transparent Encryption Ransomware Protection can help organizations address this challenge. Imperva Data Security Fabric Data Risk Analytics monitors data access and activity for all databases, providing visibility to identify risky data access for all users. It combines deep domain security expertise with machine learning to identify suspicious behaviors violating security policies. CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity, alerting or blocking malicious activity before ransomware can take hold. |
The National Privacy Commission (NPC) introduces circulars to provide organizations with guidance on complying with the Data Privacy Act of 2012 in the Philippines, its implementing rules and regulations, and other NPC issuances. On April 1, 2024, the NPC issued Circular 2023...
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
전통적으로 조직은 주로 경계 방어에 IT 보안을 집중했기 때문에 벽을 세워 외부 위협이 네트워크에 진입하는 것을 차단했습니다. 경계 방어는 여전히 중요하지만 충분하지는 않습니다. 사이버 범죄는 주기적으로 경계 방어를 뚫고 있으며 데이터는 클라우드 방어 경계 외부 어딘가에 있는 경우가 많으므로, 조직은 데이터가 어디에 있든 데이터를 보호하는 데이터 중심 보안 전략을 적용해야 합니다. 오늘날 급증하는데이터, 진화하는 글로벌 및 지역 개인정보 보호 규제, 클라우드 채택의 증가, 지속적인 지능형...