Federal Law on Personal Data Protection of Private OwnershipLey Federal de Protección deDatos Personales en Posesión de los Particulares 26/Agosto/10
What is this law looking for• Protect personal data held by companies.• Control legitimate treatment, monitoring and reporting, in order to ensure privacy and the right to informational self-determination of individuals.
Which rights are covered by the law Opposition Deletion RectifyAccess • The owner • The owner • Right to • Is given as could request can request request that long as there which the change of data is is a legitimate personal data inaccurate or blocked for a cause. If is processed incomplete period of time so, the by the data. in which it can responsible controller and • If the data not be given has to how is it was any exclude the treated. transmitted to treatment. data from any a third After this type of party, the period, it treatment. responsible should be should notify abolished. its rectification. ARCO: By its spanish acronym
What is the core of• the law The client, employee or vendor has the right of auto determination at all times.• In the case of sensitive data treatment the authorization needs to be explicit.• The data classification and protection of personal data is a function that any company must comply.• Personal sensitive data is consider: ethnicity or racial origins, health status (present and future), genetic information, religious, philosophical and moral believes, union affiliation, political views and sexual orientation or any data that could cause high risk to the owner of the data.
What do companies need to do Classification and Data Protection Establish, document and maintain security measures Privacy Notice Communicate data transfer to third parties Appointment of a Chief Privacy Officer Treatment authorization from clients, customers or employees
Deadlines to comply with the law • Mexican federal government issued the law on July 5, 2010 • Clients, employees or vendors could request their ARCO rights starting January 6, 2012 • Important deadlines : – July 6, 2011: • Companies must appoint a Privacy Officer. • Companies must issue privacy notices
Sanctions / Penalties• Warnings• Fines from $5,584* to $17,868,800*• Additional fines from $5,584* to $17,868,800* (when the fine happens more than once)• All fines may increase a 100% if personal data is sensible• Jail up to 10 years * Mexican pesos
What do companiesneed to do Train all the employees Create privacy policies Establish a privacy about the privacy and programs monitoring process programs Assign resources to Establish a procedure to Review the privacy implement the privacy manage the privacy risk program periodically programs Implement the procedures Implement the to receive the concerns mechanisms to sanction in and complaints about the case of a privacy noncompliance situation
What do companies need to create Roles and responsibilities of Inventory of Inventory of the Risk analysis of persons who personal data treatment systems personal data process personal data Roadmap for theSecurity measures Gap analysis of Reviews and / or implementation of for personal data security measures audits security measures Registration of Train staff which Record the mass cancellations or processes personal storage of personal destruction of data data personal data
Privacy is not only about Compliance!Through Privacy we guarantee individual rights. By doing so, we increasestakeholder trust and increase our competitiveness.