More than 1.3 billion euros (approximately 1.1 trillion Chilean pesos): that’s the amount Meta stands to lose for a possible breach of European regulations (GDPR) in how it handles user data [CNN Español].

The world of data is fascinating. With the advancements of recent years, the possibilities seem endless: from hyper-personalized marketing campaigns to automated customer service. What once felt like science fiction is now more accessible than ever. However, amidst all the excitement, the responsibilities and obligations that come with managing personal data are often overlooked.

The truth is that several regulations define the “rules of the game” when it comes to processing personal data. In Chile, Law 21.719—also known as the Personal Data Protection Law—was published in the Official Gazette on December 13, 2024, after its approval earlier that year [Carey.cl]. It will come into force on December 13, 2026, following a 24-month transition period that includes deadlines for the establishment of the Data Protection Agency and specific regulations.

Although these obligations may seem unexciting, complying with them is essential to protect users, safeguard an organization’s reputation, and avoid the hefty fines that can result from noncompliance.

This article will briefly address these topics and offer some recommendations on how to handle them within a team.

Regulations and Data Compliance

Regulations governing the processing of personal data aim to establish clear rules for organizations that handle this type of information. Among the most well-known are the General Data Protection Regulation (GDPR) in the European Union and the Lei Geral de Proteção de Dados (LGPD) in Brazil. These regulations cover both personal data, which can uniquely identify a person, and sensitive data, which includes information about ethnicity, health, political orientation, and more. Sensitive data requires a stricter level of protection because its misuse can lead to discrimination or violations of fundamental rights.

These regulations set out principles such as obtaining free, informed, clear, and reversible consent for data collection. They also promote transparency in data usage and the protection of users’ rights regarding their information, known as ARCO-P rights:

  • Access: The right to know what data an organization holds and how it is processed.
  • Rectification: The ability to correct incorrect or outdated information.
  • Cancellation: The possibility of deleting data when it is no longer needed for its original purpose or the consent has been withdrawn/expired.
  • Opposition: The option to refuse data processing in certain circumstances, especially those that could be harmful to individuals.
  • Portability: A newly introduced right in Chile’s Law 21.719, which allows individuals to request their personal data be transferred to another service provider [DataGuidance].

In large organizations, specialized Data Compliance teams are typically responsible for meeting these obligations. However, in smaller companies, this responsibility is often more diffuse and shared among all members. Although regulations typically exempt small businesses from certain administrative requirements, the demands for data protection are generally the same. Therefore, complying with these regulations is essential for all organizations, regardless of their size.

Notable Cases

Talking about regulatory compliance may seem logical or even obvious, but when it comes time to allocate resources, convincing everyone involved isn’t always straightforward. In such cases, examining real-world examples of noncompliance and their consequences can be enlightening:

  • Meta/Facebook (2023): Meta faces a sanction of more than 1.3 billion euros, the largest fine imposed under GDPR, for transferring the data of European citizens to the United States through processes not in compliance with regulations [CNN Español].
  • Amazon (2021): The company was fined more than 700 million euros for collecting users’ personal data for advertising purposes without obtaining clear and transparent consent, violating GDPR [CNN Español].
  • Google (2019): The company received a fine of around 50 million euros for using personal data for advertising purposes without having valid and explicit consent [BBC].
  • Meta (2024): In a separate case, Meta was fined €797.7 million by the European Commission for antitrust violations related to Facebook Marketplace [The Verge].

These examples underscore the importance of taking legal obligations related to personal data processing seriously—not only to avoid financial penalties, but also to protect user trust and an organization’s reputation.

New Personal Data Protection Law in Chile

Law 21.719 on Personal Data Protection is a milestone in Chile, aligning the country with international standards like GDPR. This legal framework guarantees key rights to citizens, such as explicit consent for data processing and the ARCO-P rights mentioned above. It also obligates organizations to report security breaches (i.e., to inform users when databases have been compromised) and creates the Personal Data Protection Agency, a regulatory body with the authority to oversee and sanction noncompliance [Carey.cl].

The law also mandates that organizations appoint a Data Protection Officer (DPO) and implement an infringement prevention model to ensure compliance [DLA Piper].

Data Governance and Compliance

As a company’s data ecosystem grows, controlling the flow of information becomes increasingly complex. Different teams consume and generate data, which is then reused by others. Without proper tools, this can lead to an inability to extract value from data and, in some cases, noncompliance with legal obligations.

Implementing clear policies on data classification, access, and traceability helps maintain control over a data ecosystem. Tools like data catalogs, lineage systems, and labeling not only facilitate identifying and efficiently using data but also support legal compliance.

How to Achieve This? Some Tools from the Google Suite

Here are some Google Cloud tools that can help govern data ecosystems:

  • Dataplex: Centralizes metadata management across platforms like BigQuery, Cloud SQL, or GCS.
  • Cloud Data Loss Prevention (DLP): Identifies and anonymizes sensitive data to prevent leaks.
  • BigQuery Lineage: Provides traceability for data transformations.
  • Data Profiling in Dataplex: Automates data quality analysis.
  • Policy Tags in BigQuery: Masks sensitive data while maintaining usability.
  • Row-Level Policies in BigQuery: Dynamically restricts data access.

Conclusion

The approval of Law 21.719 in Chile is a significant milestone, bringing the country in line with international standards like GDPR. Regulatory compliance is not just a legal requirement—it is an opportunity to strengthen trust, ensure ethical data management, and create sustainable growth in an increasingly regulated digital environment.