We invite you to read the column written by our senior associate at IP, Tech and Data Group, Antonia Nudman, on the digital compliance triad and how companies should prepare for the Data, Cybersecurity and Artificial Intelligence regulations.
Our society is structured and functions based on digital assets and transversal technologies applicable to all industries. This has brought as a consequence the need to regulate the use of technologies and information security, through the “Digital Compliance Triad”, formed by the Law that regulates the protection and processing of personal data and creates the Personal Data Protection Agency; the Cybersecurity Framework Law and the Bill that Regulates Artificial Intelligence Systems.
Notwithstanding the fact that change is imminent and we know that we will be faced with complying with the obligations of each of the rules that make up the triad -, the times to implement each one will be different.
We are currently in the 24-month vacancy period prior to the entry into force of the new personal data law. This has awakened a growing interest in the various industries, since, although two years seems a reasonable time, comparative experience in the European Union shows that on many occasions and, depending on the degree of maturity of the institution, this period may not be sufficient.
This is mainly because the standard of compliance is not only limited to technical aspects, but also to the change in organizational culture that all public and private institutions that process personal data must promote.
The risk surrounding potential breaches can materialize at any stage of processing, for example, from its collection by the personnel in charge, to its subsequent handling by senior management. In this context, it is imperative that institutions have adequate policies, standards and prevention models to reduce the margin of error in the handling of information.
It is essential that the guidelines to be implemented also have a cross-cutting view of the Digital Compliance Triad. Thus, planning should include an analysis with respect to the type of service or line of business that the institution in question maintains.
We know that the Law on Personal Data Protection will apply to any public or private institution, but it is worth asking questions such as: what happens when one of the other two regulations that make up the triad is likely to apply to me? can my line of business be classified as an essential service or a vital operator? does my business involve some of the activities that the Draft Law on IA Systems includes within its catalog of application?
The transversality and integrality in the bases of the future Prevention Models in the context of the Digital Compliance Triad will be a key element to anticipate what is to come, seeking that its configuration be flexible enough to adapt to subsequent requirements, considering that there are still aspects that are still under development.
Thus, we will be able to have working bases that allow us to be a bridge for the future, without having to completely restructure it when the time of adaptation comes.
Column written by:
Antonia Nudman | Senior Associate | anudman@az.cl
