Mexico's New Privacy Law: Are You Compliant?

Watch Webcast Now

Request Whitepaper

In 2009, the Mexico’s Federal Constitution was amended in order to recognize the right to protect personal data as a fundamental right of all individuals. On July 5th, 2010, the Mexican Federal Law on the Protection of Personal Data held by Private Parties was published in the Federation’s Official Journal. The Law regulates the legitimate, controlled and informed processing of personal data held by Private Parties. Companies that do not comply face fines that start at $500,000 and may go up to $1.5M, depending on the violations.

Obligation to Identify PII

In order to comply with these obligations, companies must prepare a comprehensive Personal Data Inventory that identifies all record types and applications used within the organization. To determine applicability to the Law, the Data Inventory must clearly identify each record types’ media, all privacy and sensitivity elements, movement, access, retention and disposal practices and other factors. Once completed, the PDI becomes the instrument by which compliance with Mexico’s myriad of federal and state regulations can be evaluated.

PII Disposition Obligations

Under Mexico’s new law, certain records that contain personally identifiable data must be permanently deleted or destroyed after specific time periods. Additionally, the new law provides that retention of PII is also determined by the “applicable legal provisions”, which means all the other legislation that include specifications, references or provisions about the retention of PII, even if it is not defined as so. Some of the applicable laws related to proper retention and disposal include Mexico’s Privacy Law, Federal Labor Law, Social Security Law and the Tax Law.

Timeline for Compliance

“Within the next year, all data controllers will have to deal with the inventory of PII (the Personal Data Inventory) in order to meet requirements.”

July 6, 2011 – Deliver privacy notice and appoint a person responsible for personal data
January, 2012 – Exercise of ARCO Rights with data controllers
12 months/Regulations – Document procedures for retention of PII
18 months/Regulations – Implement security measures

About the Experts

Rebecca Perry is the Executive Vice President at Jordan Lawrence and oversees the Records Analytics™ Privacy services that provide complete, benchmarked Personal Data Inventories within 45 days for major corporations. She can be reached at 636.821.2251 or rperry@jordanlawrence.com.

Oscar Arias H. is an associate at Basham, Ringe y Correa and is available to work with existing and new clients on the implementation and management of these new legal obligations. He can be reached at 52.442.103.21.04 or oarias@basham.com.mx.