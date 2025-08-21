The National Cyber Emergency Services Response Team (PKCERT) has released new data protection guidelines for companies handling citizens’ personal information. The move comes as cyberspace grows increasingly insecure, with rising threats of cyberattacks, hacking, and data leaks.

PKCERT is the federal body responsible for securing Pakistan’s digital assets, sensitive information, and critical infrastructure. Its latest advisory highlights the urgent need for stronger measures to protect personal data, also known as Personally Identifiable Information (PII).

Personal Data at Risk? PKCERT Issues Data Protection Guidelines for Companies

The standards apply to all organisations that collect, store, or process PII. This includes banks, telecom and internet service providers, e-commerce platforms, logistics companies, government bodies, hospitals, schools, and even outsourced service providers. In short, any entity that holds citizens’ data must now ensure it is safeguarded against misuse.

Key Measures for Companies

The advisory has outlined immediate, medium, and long-term steps. Some of the most important ones include:

Classifying data based on its sensitivity.

Using advanced encryption methods.

Implementing multi-factor authentication.

Updating systems regularly to patch security gaps.

Retaining personal data only for legally required periods.

Properly disposing of outdated data to prevent theft.

PKCERT also recommended that staff handling personal information receive security training. It called for continuous monitoring of systems to detect and block unauthorised access.

The guidelines also stress the need for companies to align their policies with Pakistan’s National Cyber Security Policy 2021 (NCSP) and the Prevention of Electronic Crimes Act 2016. According to the NCSP, protecting citizens’ personal data is not just a legal requirement but also a matter of national security and public trust.

The Risks of Weak Protection

PKCERT warned that poor data protection could result in serious consequences. These include identity theft, financial fraud, mass privacy breaches, and operational disruptions. It could also erode public trust, threaten national security, and bring legal or regulatory action against organisations.

The advisory also listed possible threat actors:

Cybercriminal gangs steal data for identity fraud and sell it on dark web marketplaces.

steal data for identity fraud and sell it on dark web marketplaces. State-sponsored groups are using stolen data for surveillance and political manipulation.

are using stolen data for surveillance and political manipulation. Hacktivists are leaking information for ideological reasons.

are leaking information for ideological reasons. Malicious insiders exploit access for personal gain or revenge.

Advice for Citizens

Along with guidance for companies, PKCERT also shared tips for individuals. It urged people to share their CNIC or other personal documents only when necessary, use strong passwords, enable two-factor authentication, and avoid sharing private details online.

Previous Incidents

This is not the first time PKCERT has raised concerns. In May 2025, it was revealed that login credentials of more than 180 million Pakistani internet users had been stolen in a global data breach. Earlier in March 2024, a Joint Investigation Team (JIT) found that the credentials of 2.7 million citizens had been compromised from the National Database and Registration Authority (Nadra) between 2019 and 2023.

Our Thoughts:

With cybercriminals becoming more sophisticated and data leaks on the rise, PKCERT’s latest guidelines highlight a clear message: data protection is now a national priority. Both organisations and individuals must take responsibility to secure sensitive information and prevent future breaches.

See Also: Govt Establishes Pakistan Digital Authority to Lead National IT Transformation