NPC extends deadline of 2017 annual incident report to June 30

Organizations and professionals processing personal data in the country now have until June 30 to submit their first annual security incident report to the National Privacy Commission (NPC) after the agency adjusted the deadline, which was initially set on March 31.

The annual security incident report is among the yearly compliance obligations of Personal Information Controllers (PICs), as provided for in the IRR of the Data Privacy Act of 2012, and as discussed in NPC Circular 16-03. It contains all security incidents of the PIC from January 1 to December 31, 2017, including a summary of every breach incident and aggregate data of non-breach incidents.

"We are intent on coming up with a version of the annual report that is more concise and easier for DPOs to prepare. At the same time, the Commission is also seeking ways to align the annual report with the requirements of other privacy regulations on international data flows such as the GDPR and APEC-CBPR," said Privacy Commissioner Raymund Enriquez Liboro.

The Commission is expected to announce specific changes in the annual security incident report in a few weeks. Meantime, Liboro said annual reports that have already been submitted by PICs based on present guidelines would be considered sufficient for the year.