We invite you to read the column written by our directors Yoab Bitran (Compliance Group) and Ivonne Bueno (az Tech) on the occasion of International Personal Data Protection Day, where they analyze the most significant advances in Chile.
On January 28, 2006, Convention 108 of the Council of Europe, the first international treaty on personal data protection, opened the door to its signature by countries outside the European continent. This expansion marked a milestone in the global protection of personal information, which is why today is celebrated as International Personal Data Protection Day.
In tune with global trends, Chile adopted, as of 2018, the protection of personal data as a fundamental right, enshrined in the Political Constitution (19 N°4). This progress has made its safeguarding a priority, since the lack of adequate measures may have serious consequences, both for individuals – including discrimination, damage to privacy and violation of dignity – and for companies, which may face severe financial and reputational damages.
In this context, the enactment of Law No. 21.719, which amends the obsolete Law No. 19.628, has significantly raised the standards of personal data protection in Chile, aligning them with those established by the General Data Protection Regulation (GDPR) of the European Union. The new legislation not only establishes clear principles on data processing, but also creates new obligations, expands the rights of data subjects (all citizens) and introduces a new Compliance and the figure of the Data Protection Officer. In addition, it contemplates severe penalties for non-compliance with its provisions and establishes a technical agency in charge of issuing guidelines, supervising and sanctioning violators (up to 20 thousand UTM).
Although the law will come into force on December 1, 2026, the time for its implementation is limited. Indeed, although it may seem a generous deadline, international experts have pointed out that the implementation of the GDPR in Europe required more than two years due to its complexity, which not only covers legal aspects, but also requires adjustments in procedures, practices and business models. In this sense, many organizations had to start adapting urgently or face serious consequences, ranging from irreparable damage to their reputation to million-euro fines that, in some cases, led to bankruptcy.
So, where to start? The first step is to perform an internal diagnosis: identify what data is being collected, how it is managed, who has access to it and what protection and control measures are being implemented, among others. In other words, the key is to establish efficient data governance. Only with an orderly structure will it be possible to detect security breaches and take the necessary corrective actions in line with the new law. This implies, for example, designing breach prevention programs, establishing a clear roadmap, applying adequate controls, defining responsibilities and training the organization, among others, to ensure compliance with the new regulations and generating a corporate culture in this area from the outset.
In short, getting ahead of the curve is key: you arrive on time with your house in order, your data protected and secure, with a lower risk of being sanctioned by the future Agency and of suffering reputational damage before clients, employees and investors, while building a solid data protection culture. It is time to act, ensure compliance and protect both individuals and organizations (Santiago, January 28, 2025).
Column written by:
Yoab Bitran | Director Compliance Group | ybitran@az.cl
Ivonne Bueno | Director az Tech | Ibueno@az.cl
