Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
As Chilean companies navigate the country's new Personal Data Protection Law No. 21.719, technical and legal facilitators are critical who understand the complex legislative changes and can help organizations safeguard the privacy and integrity of information, while continuing to boost the digital economy.
This is where the data protection officer emerges. While the LPDP establishes the DPO role in Chile, this strategic figure must have a business vision in order to see how organizations can obtain the maximum value from their data, while respecting the dignity of citizens.
The role of the DPO should be understood flexibly. In addition to monitoring LPDP compliance, and being an essential point of contact between organizations and the newly created Personal Data Protection Agency, and between individuals and the data controller, the DPO also fills a consultative and training role. DPOs have the special opportunity to advise those working to mitigate privacy risks, including around the use of new technologies.
This is where the transformation of the role of the DPO can be appreciated, considering that in small and medium-sized European companies it has grown to tasks including implementing and supervising an ethical and responsible framework for artificial intelligence use.
The LPDP will fully take effect 1 Dec. 2026.
The benefits of a DPO
In July 2025, France's data protection authority, the Commission nationale de l'informatique et des libertés, studied the economic benefits of having a DPO. The CNIL stressed that DPOs enable a competitive advantage, help avoid penalties for noncompliance with personal data legislation, prevent data leaks and optimize data management.
The CNIL said DPOs were most represented in research, information and technology, and consulting, as well as banking, insurance and mutuals.
It is those organizations that handle the largest amount of data, whose data processing represents a greater risk, or which require a higher level of protection, that ultimately benefit the most from the trust and security the DPO inspires — both internally and in the eyes of other organizations.
Who needs a DPO
On the need to appoint a DPO, in the EU, Article 37 of the General Data Protection Regulation is quite clear. A DPO is mandatory when processing is conducted by a public authority or body, or where the processing of personal data involves large-scale systematic observation, sensitive personal data on a large scale or data on criminal convictions and offenses.
This contrasts with the LPDP, which does not require a mandatory DPO. Article 49 of the LPDP establishes that organizations may "voluntarily adopt an infringement prevention model," which includes among its elements the "appointment of a personal data protection officer."
So, instead of whether a DPO is required, the more appropriate question for organizations in Chile to ask might be whether it is needed due to the nature of the organizations' data processing. If the answer is yes, the next question is whether the DPO needs to be full-time or can span other roles.
In this sense, it is worth remembering the DPO role must be flexible and adjusted to the organization. The CNIL study stated that in 2024, 85% of DPOs surveyed carried out their tasks nonexclusively, and in conjunction with other tasks within their organization. This is fully consistent with the LPDP, which allows the DPO to perform other functions if they do not lose their independence.
For its part, Decree No. 662/2025 from the Ministry of Finance established a regulation on infraction prevention models required under the LPDP, which details companies' compliance systems, and allows the DPO role to be either internal or external.
The nuance must be clear. In general, all organizations can benefit from having a DPO. However, for practical purposes, companies with business models based — in whole or in part — on data or on the commercialization of potentially intrusive innovative solutions with respect to people's data, will be more exposed to regulatory sanctions and could legitimately perceive a DPO as necessary in practice.
Conclusion
The CNIL's study found 58% of organizations see compliance with personal data protection regulations as a strategic opportunity, which would justify a greater allocation of resources to the role of the DPO, considering it has the potential to reduce the risk of massive fines, as well as enable ethical innovation when the use of personal data is required.
The challenge in Chile, then, is for the DPO to be perceived as a new role that adds value, considering it will facilitate leadership of technological advances within organizations, while focusing on building a culture of personal data protection and digital trust generation.
Oliver Ortiz, CIPP/E, is a senior manager at Deloitte Legal in Chile.
