As reported by Bloomberg BNA, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) recently issued data security guidelines that implement the security provisions of the Federal Law for the Protection of Personal Data Held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares).

The guidelines advise companies to develop a security management system that includes the following four key steps:

  1. Planning – identifying key security objectives, examining data flows within the organization and conducting a risk analysis;
  2. Doing – implementing the necessary policies, procedures and plans that help to achieve the organization’s data security objectives;
  3. Checking – auditing and evaluating whether the policies, procedures and plans are achieving those objectives; and
  4. Acting – taking corrective action and other remediation measures to continually improve data security, including training relevant personnel.

Mexico’s Data Protection Secretary Alfonso Oñate-Laborde commented on the guidelines, noting that an increasing number of Mexican companies are taking affirmative steps to improve their data security. He also stated that the IFAI will focus on enforcement and conduct data security audits of companies to determine compliance with the guidelines.