Does an SME also need to comply with data protection regulations?

Yes. SMEs are also required to comply, applying measures proportionate to their level of risk and the volume of data processed.

What are the risks of non-compliance with the law?

Non-compliance may result in fines, regulatory oversight, reputational damage, and loss of trust from clients or business partners.

Where should a company start?

It is advisable to begin with a data protection assessment to identify gaps and define an appropriate compliance plan.

Data Protection Guide

Q: Is compliance with Law No. 21,719 mandatory?

Yes. All companies that process personal data must comply with this regulation, regardless of their size or industry.

The data protection guide is a practical resource designed for companies that need to understand and properly apply current regulations in Chile, especially Law No. 21,719. It is not only about formal compliance, but about implementing a data management model that reduces legal risks, protects reputation, and enables secure operations.

Today, any company —regardless of its size— processes personal data: clients, employees, suppliers. Therefore, having a clear data protection guide allows you to identify obligations, avoid common mistakes, and make informed compliance decisions.

What does data protection regulate in Chile?

The data protection guide must begin with the legal framework. In Chile, Law No. 21,719 establishes a modern system for personal data protection, aligned with international standards such as the EU GDPR.

This law regulates:

The processing of personal data
Data subject rights
Company obligations
Sanctions for non-compliance
The creation of a Data Protection Agency

You can review the official text at the National Congress Library.

Who does this regulation apply to?

An effective data protection guide must clearly state that this law applies to:

Companies of any size (including SMEs)
Independent professionals
Public and private organizations
Any entity processing personal data in Chile

It does not matter whether the processing is digital or manual. If personal data is collected, stored, or used, the law applies.

Key obligations for companies

The data protection guide identifies the main obligations companies must comply with:

1. Have a legal basis for processing data

Personal data cannot be processed without a legal justification. The most common legal bases are:

Data subject consent
Performance of a contract
Compliance with a legal obligation
Legitimate interest (in certain cases)

2. Inform the data subject

Companies must clearly communicate:

What data is collected
Why it is used
With whom it is shared
What rights the data subject has

This is implemented through privacy policies.

→ See: privacy policies.

3. Implement security measures

The data protection guide highlights that compliance is not just declarative: real measures must be implemented to protect data.

This includes:

Access control
IT security
Incident response protocols
Vendor management

4. Respect data subject rights

Companies must be prepared to respond to requests for:

Access
Rectification
Erasure
Objection
Portability

→ See: Data Subject Rights.

5. Document compliance

The law requires traceability. This involves:

Record of processing activities (ROPA)
Internal policies
Documented procedures

Compliance stages in a company

A useful data protection guide explains not only the law, but how to apply it. Compliance is typically structured in stages:

Assessment

Identification of data, flows, and risks.

→ See: Data Protection Assessment.

Design

Definition of policies, legal bases, and compliance model.

Implementation

Application of technical and organizational measures.

Training

Internal training to reduce human error.

Monitoring

Ongoing control and system improvement.

Impact and risk assessment

The data protection guide must consider that not all processing activities carry the same level of risk.

In high-risk cases (for example):

Sensitive data
Automated profiling
Mass surveillance

A Data Protection Impact Assessment (DPIA) is required.

→ See: Data Protection Impact Assessment (DPIA).

This analysis helps prevent violations before they occur.

Role of the Data Protection Officer

The data protection guide also includes the role of the Data Protection Officer (DPO).

This role:

Oversees compliance
Coordinates impact assessments
Acts as a contact point with the authority

→ See: Data Protection Officer (DPO).

Although not always mandatory, it is highly recommended for companies with significant data processing activities.

Risks and sanctions

One of the most critical aspects of any data protection guide is understanding the consequences of non-compliance.

The law provides for:

Significant financial penalties
Reputational liability
Regulatory oversight

→ See: Data Protection Fines.

The risk is not only legal, but also commercial: loss of trust from clients and partners.

Common mistakes in companies

A data protection guide helps avoid common mistakes such as:

Copying generic policies without real analysis
Failing to document processes
Not responding to data subject requests
Not managing providers with access to data
Assuming it only applies to large companies

These mistakes significantly increase the risk of sanctions.

Why implement a compliance model?

The data protection guide should not be seen only as an obligation, but as a competitive advantage.

Benefits:

Reduces legal risks
Improves customer trust
Organizes internal processes
Supports growth and scalability
Prepares the company for audits or inspections

Practical approach for SMEs

For SMEs, the data protection guide must be applied with a practical approach.

It is not about replicating complex models, but about:

Identifying what is essential
Implementing what is necessary
Prioritizing real risks

→ See: SME Data Protection Plan.

Approach for growing companies

Companies handling larger volumes of data require:

Greater formalization
Deeper risk assessments
Continuous monitoring

→ See: Data Protection Advisory for Companies.

FAQ – Data Protection Guide

What is a data protection guide?
It is a resource that explains in a structured way the legal obligations, risks, and necessary measures to comply with data protection regulations in Chile.

Is compliance with Law No. 21,719 mandatory?
Yes. All companies processing personal data are subject to this regulation, regardless of their size or industry.

Do SMEs also need to comply?
Yes. The law does not distinguish by size. SMEs must implement measures proportional to their level of risk.

What happens if I do not comply?
You may face fines, regulatory oversight, and reputational damage with clients and the market.

Where should I start?
It is recommended to begin with an assessment to identify gaps and define a compliance plan.

Implement data protection correctly in your company

Turn this guide into a real compliance plan

The data protection guide is only the starting point. To effectively comply with Law No. 21,719, you need a tailored approach with assessment, implementation, and monitoring.

Assess my company’s compliance