Inspiring Women in Law: Macarena Gatica examines Chile’s new Data Protection law and offers keys to its implementation in companies
September 5, 2024
Alessandri - After more than seven years of legislative processing, the draft law on personal data in Chile has been passed into law.
It is now up to the Constitutional Court to examine its constitutionality.
Latin Counsel spoke to Macarena Gatica, partner at Alessandri Abogados and leader of the firm’s Technology, Media, Telecommunications and Data Protection practice, about the real implications of this new law for companies and its implementation.
Latin Counsel: What does this new law seek to achieve?
Macarena Gatica: The new Personal Data Law in Chile seeks to strengthen the protection of citizens’ personal data, giving greater control of data to data subjects. It also establishes a regulatory framework under which organisations can process personal data.
LC: What are the key points of this law for companies to take into account?
MG: The processing of data with a risk-based approach and its appropriate management. New categories of data with specific regulation, new bases of lawfulness in which consent has requirements that change the way it is managed today. It creates the Data Protection Agency, the body in charge of supervising compliance with the law, with fines that in the case of repeated serious infringements can reach up to 4% of the previous year’s income.
LC: What are the main obligations for companies under this law?
MG: To prove the lawfulness of data processing (consent), to inform about data processing, to keep data confidential, to adopt security measures, to manage risks and to report breaches.
LC: What do you foresee as the impact on businesses?
MG: The biggest impact is on the work that the organisation has to do to achieve the new standard and compliance with the law. It involves costs associated with compliance assessment and gap identification processes, risk assessments, automating the capture and management of consent, as well as the exercise of Arco rights, establishing the necessary structure for risk management, among other conducts aimed at preventing breaches and associated fines.
LC: Do you think that Chilean companies are sufficiently prepared and trained for compliance with this law?
MG: In general, there are companies that have begun the process of adaptation, however, there are many that waited for the law to be passed. It should be remembered that Chile is not a country with a history or culture in these matters, so the implementation of adequate data protection policies and the adaptation of systems and processes will require considerable effort.
LC: What are the main obstacles that companies may face when implementing compliance?
MG: Lack of resources, lack of knowledge, complexity of consent management, training, technological adaptation.
LC: What will be the consequences of non-compliance?
MG: The penalties for very serious infringements can be up to 20,000 UTM, and in the case of repeat offences, the fines can be multiplied by three. If the recidivism refers to serious or very serious infringements by large companies, there is alternatively the possibility of being sanctioned with 2% or 4% of the annual sales and service revenues. In addition, companies may face significant reputational damage, compensation claims by those affected, and possibly more severe penalties if the company is large.
LC: Could this new law in any way scare away investment in the ICT industry?
MG: Given that this new law is a big leap for a country unfamiliar with these issues, the high level of fines might be thought to have a significant impact on investment in various industries. However, we see that compliance with this law should be seen as an opportunity, in the sense of being a differentiating factor in doing business by putting the protection of people’s data at the centre. Also, the technology industry has been the fastest to adapt to the law.
LC: Which tools does the Agency have in order to monitor compliance?
MG: The Personal Data Protection Agency will have regulatory, supervisory (ex officio or upon request), sanctioning and coordinating powers. It will be able to audit, request information, impose fines and even suspend data processing. It will also collaborate with international bodies and issue standards and guidelines for compliance with the law.
LC: How does Chile compare to other Latin American jurisdictions in terms of data protection laws?
MG: Chile was a forerunner in the region by having the law currently in force in the 1990s. However, rapid technological progress made it practically obsolete. With the implementation of the new law, Chile is aligned with international data protection standards, as the new regulation is very similar to the General Data Protection Regulation (GDPR) of the European Union.
This positions Chile as one of the countries with a more robust regulatory framework in terms of data protection, which could improve its competitiveness and attractiveness in the global arena by eventually being considered as a suitable country for data processing. This is in line with Chile’s opportunity to be a digital hub in the region, since we have advantages in terms of connectivity, data centre infrastructure and political stability.
Learn more about Macarena Gatica
Founded 20 years ago by Ana Trigas, Latin Counsel is the premiere bilingual international Digital Legal Platform
Suscribe to our newsletter;
Our social media presence