On 26 January 2017 Mexico enacted a new General Law for the Protection of Personal Data in Possession of Obliged Subjects (“General Law”). The General Law dictates the basis, principles and processes to guarantee individuals’ rights to the protection of their personal data. "Obliged Subjects" are any entity that benefits from public funds, including political parties and trusts, in addition to Federal, State and Municipal authorities.

The General Law provides, in similar terms as the 'Federal Law on Data Protection Held by Particulars' (“DPLaw”), the framework to be adopted for protecting personal data and facilitating transparency, including provisions to warrant peoples’ rights of access, rectification, cancellation and opposition. The compliance with both, the General Law and the DPLaw will be supervised by the Federal Institute for Access to Public information and data protection and the State Guarantors (there are currently up to 31 guarantors of the compliance of both Laws, 1 per State). It should be noted that besides the administrative penalties, both laws provide the ability for civil and criminal actions to be issued against the liable persons and/or entities.

The enactment of the General Law could have an impact on the risk exposure of any Obliged Subject and public officials in regards to data breaches. Therefore where an organisation processes personal data in Mexico, it must be aware of the risk of a data breach and consider it when placing liability or D&O policies, including additional inquiries in the proposal form, excluding the risk of the latter policies and/or incorporating a cyber endorsement for this specific liability.

The General Law can be read here (Spanish).