When does the new Personal Data Act come into force?

After 24 months from the publication of the new Law.

 

What should companies do to prepare?

  • Conduct audits of processes involving data processing.
  • Determine the company’s level of compliance with the new legislation, as well as the level of exposure to regulatory risks.
  • Identify databases and clean them in accordance with the proportionality principle.
  • Review and update privacy policies.
  • Identify the lawful basis under which the company can process the personal data it currently processes.
  • Analyse the suppliers involved in the data processing carried out by the company. They are data processors and must comply with the standard defined by the company.
  • Do not forget the processing of personal data that the employer makes of its employees and the associated compliance, these also require adequacy.

 

What security measures should companies implement?

  • Adopt appropriate technical and organisational measures, such as access and controls, in order to limit access to information according to the role of each worker, have technological measures such as firewalls and antivirus, sign data processing agreements, pseudo-anonymisation, whenever possible, according to the data processing being carried out, among others.
  • Determine the suitability of suppliers.
  • Determine controls and carry out audits in order to ensure compliance with them and, if necessary, implement improvements.

 

How should companies manage data protection risks?

  • Adopt measures to prevent breaches, due diligence. This is achieved through a risk management system.
  • Regularly train the board of directors and all employees of the company.
  • Conduct Privacy Impact Assessments, also known as PIA (Privacy Impact Assessments), which measure and mitigate the risks associated with an initiative involving the processing of personal data.
  • Create a risk matrix.
  • Establish controls and audit compliance and improvements.
  • Build a culture of evidence.
  • Establish incident response plans that allow an action plan to be drawn up in the event that personal data is breached.

 

What is the role of the Personal Data Protection Agency?

The Personal Data Protection Agency is the body responsible for ensuring compliance with the law. Accordingly, it will have the following powers:

  • Regulatory: it may issue instructions and rules, and interpret legal and regulatory provisions on personal data.
  • Supervisory: it may audit or require information from those who process personal data.
  • Enforcement: it may impose fines or require the suspension of data processing to those who violate the law.
  • Coordinating: it will relate to and collaborate with public and international bodies.

 

How should companies adapt to the new opt-in model?

  • Review their current databases, distinguishing which of them are processed under the law and on consent.
  • Verify that consents comply with the current standard.
  • Review what will need to be adjusted under the new regulation. For example, apply granularity based on free consent.
  • Implement privacy policies and consent capture forms.
  • Have a system in place to manage consent according to data subjects’ preferences (granular consent).
  • Eliminate data that do not have consent to be processed or that do not fall under any of the other bases of lawfulness established by law.
  • Bear in mind that the new regulation modifies the regimentation of public access sources.

 

What should a breach prevention model contain?

  • Clear policies and procedures that enable the company to manage the risks associated with the processing of personal data. Monitoring and control mechanisms capable of warning of risks in the processing of data and the establishment of measures to mitigate them.
  • Awareness-raising and continuous training programmes that ensure that employees are aware of the standards required by data protection regulations.

 

What penalties do companies face for non-compliance with the law?

Mainly the following:

Type of infringementFineMildwritten reprimand or fine of up to 5,000 UTMSeriousfine of up to 10,000 UTMMost seriousfine of up to 20,000 UTM

 

  • In case of recidivism, the Agency may apply a fine of up to three times the amount assigned to the infringement committed. If the repeat offence concerns serious or very serious infringements by a large enterprise, there is alternatively the possibility of being fined 2% or 4% of the annual sales and service revenues.
  • During the first year of the law, Small and Medium Enterprises will not be subject to fines, but only to warnings.
  • Affected data subjects may sue for compensation for the damages suffered. In this regard, Sernac and consumer associations can exercise collective actions based on diffuse moral damage.
  • Last but not least is the reputational damage a company can suffer from being audited and condemned.

 

How can companies handle international transfers of personal data?

The law establishes that a country has adequate levels of data protection when it complies with standards similar to or higher than those set out in the law. One of these standards is the existence of adequate safeguards such as instruments, mechanisms, clauses with similar or greater principles, rights and guarantees than those offered by the law and which grant enforceable rights and effective legal actions to data subjects. It is advisable to start by identifying which international flows exist, jurisdictions and additional measures that can be implemented in order to protect personal data.

 

What should companies do to be fully compliant with the new law?

  • Foster a culture of data protection by creating a privacy programme and developing a prevention model.
  • Update their risk matrix, policies and procedures related to the processing of personal data, focusing on the identification of risks and the establishment of measures to mitigate them, so that they are adapted to the reality of the company. Prevention models are living instruments.
  • Keep informed about the new law, as well as specific rules that may be issued by the Agency and future administrative jurisprudence.

 

Read article in Diario Financiero with interview to Macarena Gatica