The Mexican data protection authority, the Institute of Access to Information and Data Protection (the IFAI), has issued data security guidelines for businesses to ensure measures are implemented to comply with the data security provisions of the Mexican data protection law, the Federal Law on the Protection of Personal Data in the Possession of Private Parties (the Federal Law).

Mexico’s Data Protection Secretary, Alfonso Onate-Laborde, commented, “Although the Mexican Data Protection Law required companies to implement a minimal set of security measures by 21 June 2013, many companies have not done so and stay at a low level of compliance with the rules. The Guidelines will provide useful advice for companies on how to implement security rules into their operating processes.”

To ensure compliance with Article 19 of the Federal Law in particular, the IFAI guidelines recommend that companies adopt a Safety Management System of Personal Data based on a four-step process ‘Plan-Do-Check-Act’ ( the PDCA cycle), which can be summarised as follows:

  1. Plan - identify key security objectives, examine data flows within the organisation and conduct a risk analysis
  2. Do - implement the necessary policies, procedures and plans to help achieve data security objectives
  3. Check - audit and evaluate whether policies, procedures and plans are achieving security objectives
  4. Act - take corrective action and other remediation measures to continually improve security, including training relevant personnel

While adoption of the guidelines is voluntary and not mandatory, companies are warned that the IFAI has the power to issue fines of up to $3 million to penalise incidents involving data security breaches. The IFAI is set to hire third-party contractors to conduct data security inspections to reinforce the IFAI’s increasingly punitive enforcement reputation of recent months, such as the €1 million fine against Banamex, the Mexican division of Citibank.

Alfonso Onate-Laborde commented, “An increasing number of Mexican companies are taking affirmative steps to improve their data security, realising there is no more time left to postpone compliance...the IFAI will focus on enforcement and conduct data security audits of companies to determine compliance with the guidelines.”