What Your Company Needs to Do to Comply With the Protection of Personal Information Rules

Feb 11, 2016

In Circular Externa Number 002 from November 3, 2015, the Superintendence of Commerce and Industry set up the Registro Nacional de Bases de Datos (RNBD, national database record). Guidelines were established for the responsible parties to process the RNBD registration of personal databases that include: personal information, legal entities of a private nature registered by the Chamber of Commerce, and companies with both public and private funding.

Since 2012, when the Law Protecting Personal Information went into effect, we have been hearing about the creation of a register that will include all of the personal databases. This has not yet happened, but the aforementioned Circular, from the Colombian government, began to develop these regulations in Decree number 886 from 2014. This Decree made direct reference to the creation of the RNBD and gave the SIC the responsibility for creating and administering the official register.

The SIC is the entity appointed to deal with all matters related to protection of information. The SIC launched the RNBC in November, 2015, which plans to register all of the personal databases that companies or individuals involved in commercial activities develop. With this measure, they hope to have better control over the databases and see what kind of information each is storing.

This new regulation that companies must comply with is not intended to bring any benefit to the companies themselves. The objective is to protect the owners of this personal information and guarantee that the company that possesses them fully abides by the law in the way they are utilizing the information.

For this reason it would be useful for companies to have professional advisors to guide them in conducting an inventory on the state of compliance regarding protection of information.  In addition, guidance regarding the verification and existence of personal databases in each area is relevant. When the time comes to register their database with the RNBD, they can certify to the SIC that: a company policy is in place regarding information data processing, the security measures implemented are sufficient, and there has been no tampering with the information. These are requirements to demonstrate that the company is following the applicable guidelines.

The registration process with the RNBD involves completing an internal due diligence process about personal information databases and the company’s internal procedures for collecting, storing, using, and administering information. This is a complicated process necessitating a series of detailed steps prior to registering the information. Companies need to identify the databases they possess and the exact information contained within them, verify that they have the necessary authorization to utilize the information, and confirm that their policies regarding protection of information comply with all of the requirements stated in the law, among other steps.

Therefore, it is highly recommended that companies should have rigorous professional counsel to guide them through this obligatory compliance process before the SIC. This support will usually be oriented towards preparing the necessary documentation, legalizing the form that companies need to fill out about data processing, identifying the relevant elements from each current database being used, and determining which of them need to be registered. In addition, expert professional counsel will give advice on any other aspects necessary to ensure compliance with the aforementioned obligation.

At this time, many companies are just beginning to uncover a range of problems in the registration process. These include, but are not limited to: lack of a privacy policy; having a privacy policy that needs to be modified in order to comply with the current regulations; missing proper authorization for data processing; and inadequate clarity about the way the that the data processing is taking place. These problems need to be thoroughly assessed and solutions adequately found in order to effectively comply with all of the legal requirements.

All of these concerns, problems, or facets should be solved or corrected by professionals that advise the firm in this process. This needs to be done quickly and efficiently, as the deadline is approaching. The RNBD has established November 8, 2016, as the due date to register the databases that each company possesses.

There is still time. Seek counsel.

Contacts:

Enrique Álvarez 

ealvarez@lloredacamacho.com 

María Alejandra De Los Ríos 

mdelosrios@lloredacamacho.com

Follow us in Twitter and LinkedIn