On August 29, 2025, AboitizPower hosted its annual Data Privacy Learning Session with the theme “Embedding Privacy by Design: Empowering Process Owners to Safeguard Personal Data in a Borderless Digital World.” The event brought together employees, advocates, external legal experts, and guest speakers from the National Privacy Commission (NPC) to reinforce compliance with the Data Privacy Act of 2012 and strengthen a culture of accountability and trust. The session seeks to demystify the concept of Privacy by Design, highlighting its practical benefits and encouraging AboitizPower’s business units to adopt it as a tool to strengthen compliance while enhancing operational efficiency.

Data Privacy as a Culture of Care

In his opening message, Stephen Bonz, AboitizPower Chief Strategy and Risk Officer, underscored that “data privacy is not merely a matter of compliance but a culture of care” for employees, customers, and stakeholders. He emphasized that cybersecurity has become the world’s number one threat, making data protection a top priority for organizations.

Embedding Privacy into Systems and Practices

The morning discussions began with Jonathan Rudolph Y. Ragsag, Information Technology Officer II from the NPC Data Security and Technology Standards Division, who delivered an in-depth discussion on Privacy by Design (PbD) and Privacy by Default as outlined in NPC Circular 2023-06. Ragsag elaborated on Fair Information Practices (FIPs) such as purpose specification, collection limitation, and data minimization, stressing that non-identifiable interactions should be the default for systems. He reminded participants that accountability under the Data Privacy Act extends across the entire data lifecycle—from acquisition, storage, and use to disposal. His key message was clear: privacy cannot be an afterthought—it must be built into every process and system from the start.

Following this,Dann Mitzelle S. Dalino, Attorney III and Head of Compliance Checks at the NPC Compliance and Monitoring Division, discussed the importance of Privacy Risk Management (PRM) and Privacy Impact Assessments (PIAs). He clarified that PIAs are required for each system within an organization and must be conducted before launching new processes or when transitioning from old ones. Dalino emphasized the importance of mapping information flows, evaluating risks, and applying control measures. He also highlighted NPC’s compliance checks, common deficiencies such as outdated privacy manuals, poor consent practices, and weak access controls, and penalties of up to ₱5 million for violations. His message reinforced that compliance is a continuous process shared by DPOs, division heads, and process owners alike.

Technology Project Delivery Framework

“Fostering Privacy by Design means empowering project managers, embedding privacy requirements in training, and collaborating closely with functional groups,” said Ramon Navarro III, Assistant Vice President for IT Project Portfolio Management at AboitizPower. He explained how the company’s Technology Project Delivery Framework (Tech PDF) integrates privacy, cybersecurity, and compliance requirements into every stage of project management, ensuring that technology initiatives are delivered with efficiency and accountability. Oversight mechanisms, IT focal points, and executive sponsorship were identified as key enablers of success.

Third-Party Risk and Cross-Border Transfers

Closing the learning session, Atty. Joshua Gilbert Paraiso, external counsel from Puyat Jacinto and Santos Law Offices, tackled the challenges of third-party risk management and cross-border data transfers. He introduced the “Three Cs” of managing third-party arrangements: Clarity, by distinguishing between outsourcing (PIC→PIP) and data sharing (PIC↔PIC) agreements; Confidence, through strong incident management policies and breach response teams; and Consideration, by evaluating risks of cross-border transfers under varying global privacy laws. Paraiso also provided updates on NPC Advisory 2024-01 on model contractual clauses and the ASEAN–EU joint guide on cross-border governance, giving participants practical frameworks for navigating international data flows. He concluded by reminding participants that although processors may be held liable for breaches, the controller always remains ultimately accountable to the law and to the data subjects.

Commitment to Privacy and Safety

The session ended with closing remarks from Mark Loue Gomez, Vice President for Enterprise Risk Management and Data Protection Officer at AboitizPower, who thanked participants for their active engagement and reiterated AboitizPower’s commitment to embedding Privacy by Design into its business culture.

By combining proactive privacy principles with compliance practices, the 2025 Data Privacy Learning Session highlighted the company’s dual commitment: to lead with integrity and to ensure that every innovation respects, protects, and empowers the individuals whose data it handles.