“Companies that adopt robust data policies and effective breach prevention models will benefit from having a protective shield against sanctions”, emphasize the Compliance Group experts.

Since 2017, the personal data protection bill has been slowly moving through the legislative process. However, it is anticipated that, during the first half of 2024, this prolonged project will finally become law, which would represent a significant milestone in the regulation of personal data in Chile.

The new law establishes a legal framework that seeks to strengthen the obligations of data controllers and provide greater guarantees and protection mechanisms for individuals. With its approval, it is expected to leave behind the lack of compliance mechanism of the current Law 19.628, and align data protection to international standards.

In addition to the creation of the Data Protection Agency, the regulation gives the data controller the possibility of having a breach prevention model that complies with certain minimum requirements. These requirements include the designation of a data protection officer, the identification of the information processed, the associated risks, and protocols to mitigate breaches, among others. The adoption of this model will allow companies to reduce the risk of infringement and mitigate the fines to which they may be exposed.

Given that this legislative change will have a significant impact on the way companies handle and safeguard personal data, it is necessary to prepare for the adoption of these changes. In this context, the first questions to be asked by the different industries are: What data is currently stored by the company, and are we complying with the new obligations both internally and in our dealings with third parties?

Companies that adopt sound policies and effective breach prevention models will benefit from having a protective shield against sanctions. They will also strengthen their reputation and corporate image, as it is to be expected that people prefer to interact with organizations that have robust models and transparent policies.

The joint committee has the arduous task of resolving some key points in the coming weeks, an opportunity that may also be taken to incorporate modifications that have recently been introduced in European legislation on the subject. Among the key aspects that will be discussed are: (i) the extraterritorial application of the law; (ii) definitions regarding the concepts of personal data and sensitive personal data; (iii) determinations regarding the right to cancellation or suppression of personal data; (iv) obligations that the Law establishes for legal entities not incorporated in Chile, (v) the elimination of the collection in publicly accessible sources as a source of lawfulness for the processing, (vi) the amount of fines, among others.

Although data controllers will have two years to comply with the new obligations once the law is published, early implementation of data processing processes and mechanisms will allow companies to prepare for the legal, economic and reputational risks to which they may be exposed. Ultimately, being ready for these changes is not only a legal obligation, but a strategic opportunity to stand out in the marketplace.

Column written by senior associate Caterina Ravera and associate Constanza Pasarin.

Source: La Tercera newspaper, March 14, 2024.

See here.