Start Making an Impact
  • >
  • Privacy and Data Protection Compliance Manual

Privacy and Data Protection Compliance Manual

Effective Date: [1 January 2026]

  1. Purpose and Legal Framework
    This Privacy and Data Protection Compliance Manual (“Manual”) establishes the internal framework for ensuring that Initiate Global Foundation, Inc. (“Initiate Global” or the “Foundation”) complies with the Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and issuances of the National Privacy Commission (NPC).

    Initiate Global is a non-stock, non-profit organization acting as a foundation and conduit between donors, campaign creators, and beneficiaries. As such, it processes personal data in the course of operating its crowdfunding platform and related administrative functions.

    This Manual supplements the Foundation’s:

    1. Privacy Notice
    2. Information Security Policy
    3. Audit and Reporting Framework
    4. Risk Disclosure and Compliance Policies

    It applies to all trustees, officers, employees, contractors, volunteers, and third-party processors.

  2. Data Protection Governance Structure
    2.1 Data Protection Officer (DPO)
    The DPO:
    1. Oversees organization-wide compliance with RA 10173;
    2. Is registered with the NPC;
    3. Advises management on privacy risks and regulatory requirements;
    4. Conducts privacy impact assessments (PIAs) when necessary;
    5. Oversees breach response and notification;
    6. Serves as primary contact for data subjects and regulators;
    7. Maintains records of processing activities (ROPA).

    The DPO reports directly to senior management or the Board of Trustees.

    2.2 Senior Management
    Management shall:

    • Approve privacy and security policies;
    • Allocate sufficient resources for compliance;
    • Integrate privacy-by-design into operational processes;
    • Review annual privacy compliance reports.

    2.3 Employees and Personnel
    All personnel who process personal data must:

    • Comply with this Manual and related policies;
    • Access data strictly on a need-to-know basis;
    • Complete mandatory privacy and security training annually;
    • Immediately report suspected incidents or breaches to the DPO.

    Violations may result in disciplinary action, including termination and legal liability.

    2.4 Third-Party Processors
    All vendors handling personal data must:

    • Execute a Data Processing Agreement (DPA);
    • Demonstrate adequate organizational, physical, and technical safeguards;
    • Notify Initiate Global promptly of any breach;
    • Process data strictly in accordance with contractual instructions.
  3. Data Processing Principles
    All processing activities must adhere to the following principles:
    1. Transparency – Data subjects are informed of processing activities.
    2. Legitimate Purpose – Processing must have a lawful and specific purpose.
    3. Proportionality – Data collected must be adequate, relevant, and not excessive.
    4. Security – Reasonable safeguards must protect data confidentiality, integrity, and availability.

    Processing shall only occur under lawful bases such as consent, contractual necessity, legal obligation, legitimate interest, or vital interest.

  4. Data Subject Request Management
    4.1 Recognized Rights
    Data subjects have the right to:
    1. Be informed;
    2. Access their personal data;
    3. Rectify inaccurate data;
    4. Request erasure or blocking (subject to legal limitations);
    5. Object to processing;
    6. Request data portability;
    7. Claim damages where applicable.

    4.2 Handling Procedure

    1. Requests must be submitted to the DPO via official channels.
    2. Identity verification shall be conducted before processing the request.
    3. Acknowledgment shall be issued within five (5) business days.
    4. A response shall be provided within thirty (30) calendar days, unless complexity requires extension.
    5. All requests shall be logged in a Data Subject Request Register.

    Requests may be denied where retention is required by law or where exemptions apply.

  5. Privacy Impact Assessments (PIA)
    A PIA shall be conducted when:
    1. Introducing new technologies affecting personal data;
    2. Launching new data-intensive campaigns or systems;
    3. Engaging high-risk third-party processors;
    4. Processing sensitive personal information at scale.

    The PIA shall assess necessity, proportionality, risks, and mitigation controls.

  6. Breach Management Procedure
    A data breach includes unauthorized access, disclosure, alteration, or destruction of personal data.

    6.1 Incident Response Steps

    1. Identification – Immediate reporting to the DPO.
    2. Assessment – Determine scope, affected data, and risk level.
    3. Containment – Isolate systems, revoke access, secure data.
    4. Notification – Notify NPC and affected individuals where required by law.
    5. Documentation – Record incident details in the Breach Log.
    6. Remediation – Implement corrective measures and review controls.

    Breach response timelines shall comply with applicable regulatory requirements.

  7. Audits and Monitoring
    7.1 Internal Audits
    1. Conducted at least annually;
    2. Review compliance with retention schedules, access controls, and policy adherence;
    3. Findings documented and corrective actions tracked.

    7.2 External Reviews
    Independent audits or compliance assessments may be commissioned to evaluate maturity and regulatory alignment.

  8. Training and Awareness
    All personnel shall undergo:
    1. Onboarding privacy training;
    2. Annual refresher courses;
    3. Specialized training for high-risk roles (e.g., KYC, finance, IT security).

    Training records shall be maintained for audit purposes.

  9. Record Retention and Documentation
    The Foundation shall maintain:
    1. Records of Processing Activities (ROPA);
    2. Data Subject Request logs;
    3. Breach logs and investigation reports;
    4. Vendor compliance documentation;
    5. Training attendance records;
    6. Privacy audit reports.

    Records shall be retained for at least five (5) years or longer if required by law.

    Secure disposal methods shall be used for expired records.

  10. Continuous Improvement and Review
    The DPO shall prepare an annual Privacy Compliance Report for management and the Board of Trustees.

    This Manual shall be reviewed annually or upon:

    1. Regulatory updates;
    2. Significant operational changes;
    3. Major security incidents;
    4. New technology implementation.
  11. Confidentiality Obligation
    All personnel acknowledge that access to personal data is a position of trust. Confidentiality obligations continue even after termination of employment or engagement.

Prepared by Management, 2026

Cookie PolicyWe use cookies to improve your experience. By continuing, you agree to our use of cookies. For details, see our policy.