The legal and the information systems frameworks are defined in order to protect personal data in Mexico

In its Recommendations, the IFAI defined the elements that must conform the information and risk management model in order to be implemented in the companies, as well as the actions, measures and controls suggested by the IFAI, which are based on international standards.

Why is it important to implement the Recommendations of the IFAI?

The Recommendations are applicable to any company that obtains and/or processes any personal data in Mexico. Even though the implementation of such Recommendations is not mandatory, the companies which apply them may avoid fines or obtain a penalty reduction. The aforementioned, is of great relevance, since in case of a data robbery caused by a cyber attack (data breach), besides the loss of assets, the IFAI might be able to impose a penalty if the company did not implement a Personal Data Security Management System (PDSMS). These Recommendations offer a reference for IT Areas, regarding the controls and measures that must be established in the management system.

What are the Recommendations?

Last October 30, 2013, the IFAI issued its “Recommendations in matters of Personal Data Security” (Recommendations). These have been established based on international standards of information security techniques and risk management, including the ISO/IEC 27001:2005 and the ISO 9000:2005, among others. Nevertheless, no particular standard has preference over the others.

The PDSMS suggested by the IFAI has the objective of promoting a framework for the management of personal data, which allows to maintain accuracy and improve on the compliance of the Federal Data Protection Law, as well as the promotion of good internal practices. The management model is based on a Planning-Doing-Verifying-Acting (PDVA) cycle:

  1. Planning: Define the objectives, policies and processes to manage the risk of personal data. Prepare an inventory of personal data, identify safety measures and undertake and analysis in order to identify gaps.
  2. Doing: Determine responsibilities in order to implement and operate the applicable security measures to personal data.
  3. Verifying: Monitoring of the compliance of the procedure according to the LFPDPPP, and inform of the results in case of revision or auditing.
  4. Acting: Adopt corrective and preventive measures to improve on a continuous basis, as well as the training of the company’s personnel.

What must the companies do?

We suggest our clients that their IT and Legal Areas review these Recommendations and elaborate a plan for their implementation. Once these Recommendations are implemented, they must be documented in policies that may bring responsibility for the Client and its affiliates.


The Recommendations are an opportunity for companies to achieve the reductions of fines and penalties, particularly in those cases in which they are impossible to offset, like a data breach. Likewise, they increase the certainty in relation to the safety standards that must be implemented by companies.

Our practice in matters of Personal Data Protection at Baker & McKenzie has created and implemented a Compliance program for the Federal Data Protection Law so that Mexican companies avoid sanctions given by the IFAI.