If you have been a reader of the blog for some time now, you know perfectly well that digital businesses also have data protection obligations, especially if you were targeting a market within the European Union.
But what if your business is located in Latin America? That is a question we are going to answer in this post.
It is important that you keep in mind that for a long time there has been a misrepresentation of information regarding the legal obligations that digital businesses have in Latin America and even more so regarding data protection.
5 myths of data protection in Latin America
All this confusion may have arisen perhaps because in many Latin American countries digital businesses are still a taboo in the regulation and has always sought to solve the legal problems of these businesses with the conventional regulations that apply to “normal” or physical businesses.
However, digital businesses have very specific situations that only affect them, such as cross-border processing of personal data.
What about the legal aspect of such cross-border processing of your data?
- All data must be protected
False. Something I want you to keep in mind is that talking about data is not only talking about personal data, because there are different types of data.
It is for this reason that in this post we will focus specifically on the treatment of personal data, but you should know that there are statistical, demographic, business, etc. data.
There are several types that serve to analyze different objectives, depending on their context.
Even within the classification of personal data we can also talk about sensitive data, but I don’t want to complicate things too much, so in this post we will only talk about personal data and the legal obligations regarding them.
- Nobody audits us in my country
Obviously this is false, in each country there are already agencies and control mechanisms.
It is true that some are more incipient than others. For example, in some countries the Database Registry is still applied, while in others it has never been applied or it is already a thing of the past.
On the other hand, your focus has to be on the fact that your customers today are very well informed and it is not easy for them to trust where they are not given security.
Even if you are not inspected by the authorities, your visitors do it all the time and you cannot measure how many sales you lost because they did not feel your business was safe.
- They only audit large businesses with a good turnover.
Of course it is false.
The laws are the same for everyone and it is not possible to classify between people who are audited or not, much less when what is being protected is a fundamental human right such as privacy.
From my perspective, this is the most absurd myth of all, it is to believe you are invisible before the laws for some things and at the same time expect the laws to take you into account when it comes to protecting you.
- The biggest websites in my country do not apply personal data protection.
Nobody knows what goes on behind the doors of each business and in any case, that has to influence your business management decisions.
It is one thing to study the big brands to understand their best strategies and quite another to condition the future of your business to what they do or don’t do.
And if you take as a reference someone who is your competitor, even worse, because you should see it as an excellent opportunity to differentiate yourself from the competition and position yourself better in front of your potential customers.
If they don’t trust them and you appear in their search, they will be able to see you with better eyes.
- I do not sell in the EU, I should not protect personal data.
It is no secret that the GDPR exists within the European Union and all the possible penalties and fines for not applying it.
And if you do not know what this law is, here is a post where Marina Brocca tells us the RGPD sanctions that your website can receive today if this regulation applies to your business.
However, this would be valid if it were only about complying with the EU GDPR; but here we are going further and we are talking about the data protection regulations that already exist and that you must take into account first in your country, but you are ignoring them.
On the other hand, can you be sure that you have never collected data from citizens within the European Union?
Nowadays it is almost impossible to be sure of that, and if you want to internationalize your business, in addition to the regulations of your country you have to apply concordances with international regulations.
So, this is another unfounded myth.
What is the RIPD?
Perhaps the first time you hear about the Ibero-American Data Protection Network (RIPD), which is nothing more than an international forum that since 2003 has been promoting regulatory initiatives regarding the processing of personal data.
This network seeks that the member countries of this forum create the conditions for their citizens to have respect for privacy and ethical data processing, including the prevention of computer crimes through the improper use of personal information of Internet users.
This is the main reason why more than 22 countries affiliated to this forum have regulations regarding personal data protection.
The curious thing is that these countries’ personal data protection regulations are closely aligned with the European Union’s general personal data protection regulation.
Let’s say that it is one of the antecedents of why the General Personal Data Protection Regulation is focused on protecting the data of its citizens within the European Union.
Affecting even businesses outside the European Union. That’s why your business must comply with this regulation, even if it is not within it.
Why does the GDPR affect businesses in Latin America?
As I have already advanced a little, you must understand that when there is an international regulation that affects other countries, the most usual thing is that the local or national regulation is taken into account first.
For this reason it is important to mention the existence of the Ibero-American Data Protection Network, since thanks to this international forum every country in Latin America already has a data protection regulation.
Although in many countries these regulations are incipient and there is still a lot of work to be done.
The truth is that there are already mechanisms in place within each country to protect people’s data on the Internet.
However, up to this point it is natural to wonder if the GDPR affects countries within Latin America.
The truth is that it does. This law affects, above all, if these businesses do business with citizens who are within the European Union.
If you want to know how is the process of applying fines you can see this post I wrote some time ago about how the RGPD is applied in Latin America.
What is the RIPD?
Perhaps the first time you hear about the Ibero-American Data Protection Network (RIPD), which is nothing more than an international forum that since 2003 has been promoting regulatory initiatives regarding the processing of personal data.
This network seeks that the member countries of this forum create the conditions for their citizens to have respect for privacy and ethical data processing, including the prevention of computer crimes through the improper use of personal information of Internet users.
This is the main reason why more than 22 countries affiliated to this forum have regulations regarding personal data protection.
The curious thing is that these countries’ personal data protection regulations are closely aligned with the European Union’s general personal data protection regulation.
Let’s say that it is one of the antecedents of why the General Personal Data Protection Regulation is focused on protecting the data of its citizens within the European Union.
Affecting even businesses outside the European Union. That’s why your business must comply with this regulation, even if it is not within it.
Why does the GDPR affect businesses in Latin America?
As I have already advanced a little, you must understand that when there is an international regulation that affects other countries, the most usual thing is that the local or national regulation is taken into account first.
For this reason it is important to mention the existence of the Ibero-American Data Protection Network, since thanks to this international forum every country in Latin America already has a data protection regulation.
Although in many countries these regulations are incipient and there is still a lot of work to be done.
The truth is that there are already mechanisms in place within each country to protect people’s data on the Internet.
However, up to this point it is natural to wonder if the GDPR affects countries within Latin America.
The truth is that it does. This law affects, above all, if these businesses do business with citizens who are within the European Union.
If you want to know how is the process of applying fines you can see this post I wrote some time ago about how the RGPD is applied in Latin America.
What is still not clear is to what extent the European Union could initiate sanction processes, regarding businesses that are within Latin America, and to what extent these businesses have to adjust their operation to the GDPR.
Above all, because I had already told you that the GDPR has had a considerable influence on the regulations within Latin America with respect to data protection and there are practically no incompatibilities.
In addition, it should be noted that when there are incompatibilities between the general data protection regulation and the data protection law of any country, the local regulation will always prevail, when applying sanctions, applying procedures and everything else related to the processing of personal data.
Can fines be imposed by the GDPR even if my business is not in Latin America?
There is no impediment in the regulations for the GDPR to result in the application of fines within businesses in Latin America.
However, the real problem is that there are no mechanisms to follow up on every possible infringement within Latin American territory.
But that does not mean that it is impossible that at some point a business located, for example, in Colombia will be sanctioned with a fine.
