The Superintendency of Industry and Commerce (‘SIC’) Colombia’s data protection agency, launched its Colombian Accountability Guidelines (the ‘Guidelines’). The first document of its kind in South America, the Guidelines are aimed at helping companies understand and implement Colombia’s Data Protection Regulation implemented in 2012, and reinforced by an additional regulation in 2013.
The advice mainly deals with the Colombian concept of ‘demonstrable responsibility’. This concept is akin to accountability and requires data controllers to be able to demonstrate that they have implemented appropriate measures to comply with Colombia’s data protection law, including by providing a description of the internal security procedures they have introduced and how the processed data is relevant to individuals. This concept has not been without critics, however, who raised concerns about how to comply and lead organisations to seek further guidance.
The SIC’s introduction of the Guidelines is meant to encourage interaction between organisations and the SIC in the aim of allowing the SIC to help organisations implement programs and train staff, rather than risk enforcement fines for failing to comply. The Guidelines are not compulsory, but companies that follow them reduce the chances of being found to breach data protection requirements, and compliance with the Guidelines will be taken into account when assessing violation sanctions.
The SIC have received more than 16,000 complaints since they opened in 2009, but with an office of just 25 employees, are unable to deal effectively with every issue. They hope that by providing further advice, companies will be able to develop more advanced data protection programs and in turn reduce the number of complaints they receive. With around $651,000 worth of fines issued already this year for non-compliance, the incentive is there for organisations to take note and use these Guidelines to their advantage.