By: Juan Carlos Carrillo. @juan_carrillo
Expert collaboraton of Molet Burguete Abogados (MBA)in Mexico City.
A lot of companies that have headquarters outside of Mexico ask me, what they need to do to comply with the Mexican Privacy Regulation (LFPDPPP), thank God, they are not expecting, like many Mexican people, a silver bullet that will resolve all their Privacy problem, cheap, quick and easy.
Well for those who love to hear about cheap, quick and easy this is the moment to leave.
I remember back in the 90’s that the word “process reengineering” was the in vogue (not Madonna’s song). Well we don’t use that phrase no more, but the Privacy concept as we are using it right now, is exactly a reengineering.
Because of that is important that not only lawyers neither technology people are involved on the Privacy Reengineering process.
To explain how this Reengineering needs to be done; I am going to use 2 articles of the secondary regulation (Reglamento), 48 in this blog and 61 in the following.
Article 48 and 61 are the closest we have to that silver bullet, in this articles we will find the action plan for the CPO and the CISO.
Article 48 is part of the responsibility principal and they are mentioned as the minimum a company needs to implement. So let’s understand what these requirements are for.
1. Develop privacy policies and programs mandatory and enforceable within the organization responsible.
-This is the start point for any organization, not the privacy notice as it has happen in Mexico. Without policies and programs a notice is worthless.
2. Implement a training program, updating and staff awareness about the obligations regarding the protection of personal data.
-Once you have your privacy policies and programs, you should be training your employees about them. This is common in some industries (e.g., financial) with AML, ethics or sexual harassments training.
3. Establish a system of supervision and internal monitoring, checks and external audits to verify compliance with the privacy policies.
-If you pass a stoplight without a fine or you speed without any consequence, you will be doing it all the time; it happens with policies that doesn’t have a monitoring process in place.
-Any Information Security Management System or Data Protection Management System should follow the PLAN-DO-CHECK-ACT model. And if you follow that check means monitoring.
4. Allocate resources for the implementation of programs and privacy policies
– I think this is one of the greatest hits of the regulation. It is very common that the companies look to implement these efforts without any investment neither in people, infrastructure, consulting or assessments.
– We have to be very cautious with this point in the case of any revision from the authority, because it is going to be all about documentation.
5. Implement a process for the risk to the protection of personal data by the implementation of new products, services, technologies and business models is addressed, as well as to mitigate them.
– The model the regulation follows on regards to the actions need to be implemented is related not to one size fits all but to a risk-based basis.
– This point is critical when the companies elected either a CPO or a privacy board, where a risk person needs to be looking at any type of risk this regulation could be affecting.
6. Periodically review the security policies and programs to determine modifications required.
– Privacy is not a project, it is a process; even after the implementation of the privacy policies, procedures, notice, training, etc. the process needs to be always improving and adapting to new necessities.
7. Establish procedures to receive and respond to questions and complaints from owners of personal data.
– I normally suggest this process is within the ARCO process; it doesn’t make sense to create a new process. ARCO process should answer also to questions and complaints.
8. Have mechanisms for policy compliance and privacy programs and sanctions for noncompliance.
– This is closely related to the point number 3, without sanctions, the policies and procedures will never be fully productive.
9. Establish measures for securing personal data, that is, a set of technical and administrative actions to ensure the responsible compliance with the principles and obligations under the Act and these Regulations.
– If you have a security policy, a CISO or a security consultant you should explain them the law to work in a plan to introduce security measure to all personal data.
10. Establish measures for tracking personal data, ie , actions, measures and technical procedures that allow tracking of personal data during treatment.
– Technically this requirement is hard, but remember you can always implement this measures technical, physical or administrative.