News

/ Approach to data privacy from a self-regulatory perspective

January 19, 2024

Jaime Urzúa
Associate Attorney
Alessandri Abogados

The most updated jurisdictions on data protection share the view of self-regulation as the ideal way to prevent infringements, through the analysis of the risks associated with the processing of personal data. An example of this is the enshrinement of the duty of protection by design and by default.

This principle refers to the fact that data controllers must establish appropriate technical and organizational measures before and during the processing of personal data (privacy by design), to ensure that, in a predefined manner, only specific data strictly necessary for a given purpose are processed (privacy by default).

Perhaps the most graphic expression of this principle is the Privacy Impact Assessment (PIA). The PIA is an instrument widely used by organizations (although not yet well known in Chile), which allows to analyze a given data processing from a risk perspective. This tool makes it possible to identify the data that will be processed, the risks associated with their processing, the measures that could mitigate the threats and, finally, to assess the impact of carrying out a particular personal data processing initiative. On the other hand, the PIA also allows the benefits sought by the data controller to be expressed and compared with the risks identified. In short, the result of this analysis facilitates the determination of the risks that must then be compared with the risk appetite tolerated by the data controller.

The following are some recommendations for the preparation of a PIA:

1. Identification of the initiative: description of the processing, objectives sought and expected benefits. Here it will be essential to ask whether there are other ways of obtaining the same benefits.
2. Identifying the parties involved: who is the data controller, which area will be in charge of the initiative and whether there will be third party processors or sub-processors who will process the data.
3. Identification of the data: what data will be processed and what is its legal nature, the purposes and duration of the processing, the origin of the data and whether there will be sensitive data.
4. Communication of data: with whom the data will be communicated and by what means.
5. Determination of risks and measures to mitigate them: identification of risks (legal, reputational, technical, commercial, among others) and ways to reduce or limit them.

The PIA may contain an action plan that sets out the persons who will be responsible for carrying out the mitigation measures, the continuous monitoring of the processing to be carried out and the frequent auditing of the risks associated with such data processing, as well as compliance with the mitigation plan.

It is recommended that the PIA be reviewed and controlled by the Data Protection Officer (DPO), or whoever performs his duties, taking into account the type and nature of the risks associated with the data processing analyzed.

/ Newsletter subscription

Jaime Urzúa Associate Attorney Alessandri Abogados The most updated jurisdictions on data protection share the view of self-regulation as the ideal way to prevent infringements, through the analysis of the […]

Open chat
You have reached Alessandri Attorneys at Law. Please tell us how may we help you.