We invite you to read the column written by our Director of the Compliance Group, Yoab Bitran, and senior associate at az Tech, Antonia Nudman, on the occasion of International Data Protection Day, in which they address four key lessons to be prepared for the new Data Act.
We invite you to read the column written by our Director of the Compliance Group, Yoab Bitran, and senior associate at az Tech, Antonia Nudman, on the occasion of International Data Protection Day, in which they address four key lessons to be prepared for the new Data Act.
International Data Protection Day, celebrated today, provides a good opportunity to review the main lessons we have gathered from the implementation of this regulation in Chile. These are not theoretical recommendations; rather, they arise from the assessment, internal coordination, and above all, from the execution of the rollout of this new law, which will come into force on December 1. These are our recommendations for optimal execution:
The first lesson is cross-functionality. Implementation is not a project “for the legal department” or “for IT”: it is an operational change that cuts across Human Resources, Operations, Finance, Marketing, Customer Service, and the Board of Directors. When it is approached as an isolated task, the result is usually predictable: the paperwork is organized, but processes remain unchanged. This is why the saying “stick to your knitting” matters in a double sense. For the company, it requires involving all areas that actually process data. For advisors, it requires building interdisciplinary teams with specialized expertise: labor issues, consumer matters, and regulatory challenges are not addressed in the same way; and sector-specific contexts—such as healthcare or finance—raise the bar and change the conversation.
The second lesson is that if teams do not communicate, the program fails. The most significant gaps rarely emerge in interviews; they appear when IT explains how data is replicated, how a vendor is integrated, who truly has access, how long data is retained, and why. Effective implementation requires Security to understand risk, Legal to understand legitimacy, Operations to understand continuity, and Human Resources to understand the impact on people.
The third lesson is learning to live with regulatory uncertainty without becoming paralyzed. Guidance from the Agency is still pending, and some of it will be decisive, especially regarding Data Protection Impact Assessments (DPIAs). But operations cannot wait. There are sensitive processing activities that sustain daily operations—for example, biometric timekeeping or enhanced access controls in plants—often based on exceptions to consent. The point is not to slow down the business, but to organize, prioritize, and manage risk: map processing activities, justify the legal basis, limit scope to what is necessary, define retention periods, and ensure traceability.
The fourth lesson comes from the role that Legal and Compliance naturally play. Without prejudice to the fact that data protection requires a comprehensive and cross-cutting approach, the experience gained from developing Crime Prevention Models is key. These teams are probably the most familiar with governance logic, the allocation of preventive responsibilities, traceability, and evidence of compliance. And that is precisely what differentiates a program that works from one that merely “exists.” The point is not for Legal and Compliance to do everything alone, but to lead methodically and rely on the resources and expertise that the challenge requires.
This year confirms something we already know in Compliance: what is not operationalized fades away. The same applies to data protection. If compliance is translated into processes, culture, and evidence, the organization arrives prepared. If it remains at the level of intentions and declarative documents, it arrives too late.
Learn more about the Data Act here.
Column written by:
Yoab Bitran | Director, Compliance Group | ybitran@az.cl
Antonia Nudman | Senior Associate, az Tech | anudman@az.cl
