In May 2015, the Colombian privacy regulator issued Guidelines for the Implementation of the Accountability Principle to assist organizations comply with their accountability obligations under the Colombia Data Protection Regulation.  The Colombian regulator follows a suite of other national regulators that have issued similar guidance, including Hong Kong and Canada.  In this post, we explain how accountability is regulated under Colombian law and provide a brief analysis of the Guidelines in their international context.

The Accountability Principle In Colombian Data Protection Regulation

Colombia is one of the first (and, so far, few) countries to have enshrined the accountability principle in its national data protection law and to impose mandatory accountability obligations on private and public sector organizations.  A secondary regulation (issued in 2013 under Colombia’s main 2012 Data Protection Regulation) requires data controllers (and potentially also data processors in some instances) that collect or process personal data of individuals who reside on Colombian territory to do so in compliance with the accountability principle.  In particular, the secondary regulation requires organizations to be able to demonstrate to the regulator upon request that they have implemented effective and appropriate internal measures to comply with their legal data protection obligations. 

The secondary regulation does not specify concrete measures to be implemented but exemplarily lists the following measures:

  • an internal administrative structure that is proportionate to the structure and size of the organization to ensure the adoption and implementation of polices consistent with applicable data protection laws;
  • internal implementation mechanisms such as training and education programs for employees; and
  • procedures to attend requests and complaints from data subjects.

The Colombian codification of the accountability principle is very much aligned with the accountability approach adopted by the EU Article 29 Working Party in its Opinion 3/2010 and the proposed accountability obligations under the forthcoming EU General Data Protection Regulation.

The Guidelines

The Guidelines are providing clear and much-needed guidance to organizations as to what specific measures they should adopt to satisfy their accountability obligations.  While the Guidelines are not mandatory, adherence to them is advisable for many reasons, including that the Colombian regulator indicated that accountable organizations are likely to receive lenient treatment when it comes to regulator investigations and the imposition of sanctions.

In essence, much like the earlier Canadian, Hong Kong and Australian accountability guidelines are in line with the OECD approach on accountability, the Colombian Guidelines explain to organizations how to design and implement a comprehensive privacy management program (PMP).  In summary, the Guidelines encourage organizations to:

  • commit to privacy compliance as an organization and build a culture of privacy by obtaining management buy-in, designating a data protection officer with specific responsibilities such as designing and implementing the PMP, and implementing internal report and audit mechanisms;
  • put in place specific measures such as keeping personal data inventories, undertaking privacy impact assessments, implementing data protection policies and notices, train staff, put in place procedures for handling access requests and complaints by data subjects,  implement data breach response plans, and protect personal data managed by third party service providers through appropriate contractual and other mechanisms; and
  • continuously monitor, evaluate and adapt the PMP and the various measures adopted under it.

Outlook

The Guidelines are a laudable initiative by the Colombian regulator and should be welcomed by various agents.  They provide helpful practical guidance, they promote international harmonization of privacy compliance approaches and they reinforce Colombia’s aspiration to guarantee one of the highest data protection standards in Latin America.