Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of its kind in Latin America. The result of a multi-stakeholder process, the aim of the document is to help companies implement Colombia’s Data Protection Regulation of 2012.
A Little Background
After the regulation passed, a secondary regulation was issued in 2013 to implement the general data protection law. Articles 26 and 27 of the secondary regulation call for “demonstrable responsibility,” meaning data controllers should be able to demonstrate—should the data protection authority request it—that they have implemented appropriate measures effective to comply with the regulations of the data protection law. The actions should be “proportional to the legal nature of the controller,” translated José Alejandro Bermúdez Durana, deputy superintendent for data protection for SIC. So when designing a data protection program, the size of the corporation should be taken into account, as should the nature of the data being processed by the controller; i.e., is it sensitive data; is it health data; is the data being transferred overseas, and are you using a third party?
The secondary regulation also says the controller company should be able to provide a description of the internal procedures it’s implemented to be able to demonstrate security measures and the relevance of the data it's processing to individuals. Those procedures should be based on the instructions given by the data protection authority, the SIC. The procedures should include the existence of an administrative structure proportionate to the implementation of the policy based on the company’s size; implementation of tools, training and education, and the adoption of process or procedures for attention and response to petitions and requests made by data subjects on the processing of their data.
Finally, the secondary regulation says companies that adopt specific policies and measures for the adequate processing of personal data will be looked upon more kindly by the SIC when conducting an investigation or deciding whether to impose a fine should a breach or violation occur.
From Policy to Practice
“We had lots of questions from industry on how to apply Article 26 and 27,” Bermúdez said. “What we really wanted to do was to offer the private sector a tool that would help them set up a good program within their organizations.”
The guidelines are, of course, not mandatory, but if companies follow the guidelines, they’ll be able to set up privacy programs that would include all of the things included in the law, Bermúdez said. The idea is to push the message that the right way to enforce data protection is to partner with private-sector organizations to help them implement good programs, train staff and have them commit to the program.
The guidelines reflect many of the provisions in the OECD revised accountability guidelines, released in 2013, Bermúdez said. But the idea to issue guidelines specific to Colombia’s law stemmed from conversations with Former Canadian Privacy Commissioner Jennifer Stoddart, who’d issued similar guidelines in her country in 2012. Hong Kong’s Office of the Privacy Commissioner for Personal Data has also issued accountability guidelines. Elements from both countries’ models can be seen in the Colombian guidelines, Bermúdez said.
Since opening a data protection branch, Bermúdez says the staff has been very active. The total number of complaints it has received since 2009 is 16,623.
“We’re totally aware we have limited resources,” said Bermúdez. “We’re a staff of 25. That’s not bad, but it’s not the FTC. The agency isn’t going to be able to look into every single data breach in a country of 45 million.”
That’s why the goal is getting companies to get smart on data protection programs proactively.
Since the regulation passed and the agency has had the power to impose fines for data protection infractions, it seems companies are starting to pay attention. More than 400 people attended SIC’s annual conference this year.
That may have something to do with a change in enforcement. The first year after the regulation passed, the agency focused mostly on education and awareness. But in 2013, it issued fines for a total of U.S. $1,226,000. So far in 2015, it has issued fines totaling $651,000.
“It’s not our policy to fine to raise awareness,” Bermúdez said. “But when there are fines involved, there’s almost an immediate interest.”
The goal is to incentivize companies to implement strong data protection programs, training staff appropriately and committing real resources to the data protection effort.
“That’s going to bring benefits” to the companies themselves, Bermúdez said, adding he hopes other Latin American countries are watching and plan to follow Colombia’s lead.
If you want to comment on this post, you need to login.