With 47 million people and the third-largest economy in Latin America behind Brazil and Mexico, Colombia is increasingly a place where multinational firms are doing business. Further, Colombia is looking to fit into the global marketplace by establishing itself as a jurisdiction where data protection and privacy are taken seriously.

Over the past few years, Colombia has passed and implemented various privacy laws and regulations, including Law 1581 in 2012, Decree 1377 in 2013, Resolution 20752 in 2013, Law 1712 in 2014 and Decree 886 in 2014. Law 1712 provides for some access to government documents and other public documents but generally isn’t relevant to privacy professionals in the private sector. The rest of the laws, decrees and resolutions provide guidance for companies trying to get a better handle on what the Superintendencia de Industria y Comercia (SIC), the Colombian data protection law enforcement body, expects of companies that collect personal data. Specifically, what are the internal administrative requirements and responsibilities of companies that fall within Colombian jurisdiction?

More specifically, are companies actually required to have a data protection officer?

The short answer to that question is “yes.” But, there is an alternative way to satisfy the requirement rather than naming a specific person to that title. One can look to Decree 1377, implemented in 2013, where the Colombian government issued guidance on accountability principles. In 1377, the SIC provided some flexibility as to how a company can remain accountable for its privacy practices. Instead of requiring a specific data protection officer, the decree states that a person or group within each data controller and data processor must be in charge of the company's data protection compliance program.

So, there is no requirement that companies must have a specific data protection officer, but someone or some area within the company, like a privacy group or other area within a legal department, must be responsible for the data protection program. In addition, Article 23 of the 1377/2013 specifies that this role must be appointed in both data controllers and data processors.

What is the purpose of this DPO or privacy group?

Article 23 appears in Chapter 4 of 1377, titled, "Exercise of the Rights of the Data Owners." Within the section, other articles include "the right to access" and the rights to update, modify and delete personal data. As mentioned by José Alejandro Bermúdez Durana, deputy superintendent for data protection for Colombia’s SIC, these sections speak to the need for accountability within each company. Article 27 of 1377/2013 also speaks to accountability directly to the data subjects, requiring the adoption of a process for addressing and responding to queries, requests and claims by data subjects regarding any aspect of treatment.

What are the responsibilities of the DPO or privacy group?

Law 1581 lays out all of the privacy rights that a company must abide by, but it only lists a couple of specific requirements. Article 17 of Law 1581 lists the data controller’s responsibilities, including the requirement for the adoption of an internal manual of policies and procedures to ensure proper compliance and the requirement that data controllers require data processors to respect the security and privacy of data subjects at all times.

Looking to Decree 1377, it is helpful to interpret Article 23 in conjunction with Articles 13, 26 and 27. Article 26 describes the methods of proving compliance with Colombia's Data Protection laws. At the request of the SIC, data controllers should be able to prove appropriate and effective compliance with the law, in proportion to the following: (1) the legal nature of the controller and the size of the company (micro, small, medium, or large), (2) the nature of the personal data that is subject to processing, (3) the type of processing and (4) the potential risks to the rights of the data owners that may be caused by the processing. Therefore, a number of factors affect the proof of an effective compliance program.

Article 13 describes the policies for the treatment of information. It states that the data controller must develop policies for the treatment of personal data and ensure that the data processor is fully compliant with those policies (this is similar to the responsibilities of DPOs in some EU countries, such as France). Therefore, the responsibilities of creating internal data processing policies, as mentioned in Law 1581, and enforcing those policies with a company’s data processors will fall to either the data protection officer or the data protection group.

Article 27 is titled, "Effective Internal Policies," and it describes the effective and appropriate ways that the factors in Article 26 should be applied. In focusing on the question of internal policies and DPOs, this article is somewhat helpful, but not completely. It reiterates the need for an administrative structure that is proportionate to the size and structure of the data controller to ensure the adoption and implementation of policies consistent with the data protection laws. It also states that a company should adopt internal implementation mechanisms, such as training and education programs for its employees. And, the company needs to have built into its program the capacity to handle data subjects’ petitions and requests.

The difficulty in providing guidance about this section is that there are not any best practices guides to explain the criteria from Article 26. For instance, how large should a privacy compliance group be for a start-up social networking company that has 100,000 members but only 25 employees? At the Second International Data Protection Congress in Colombia, industry professionals from companies like HP and Walmart provided some guidance on best practices (see Accountability section for some English documents). However, the SIC has yet to provide any guidance itself. Hopefully, that will all change this spring. During Colombia’s Third International Data Protection Congress, taking place from May 28-29, the SIC plans to release their implementation guides. Until then, here is a summary of the above rules and regulations.

Taken all together, Articles 13, 23, 26, and 27 of 1377/2013 require data controllers’ and data processors’ data protection compliance responsibilities to be placed in the hands of a single person or group. It is implied that this person or group must have the know-how and resources to effectively and appropriately comply with the laws and decrees. While Decree 1377/2013 only states that the data controllers will be required to prove their compliance to the SIC, the data controllers themselves will be responsible for ensuring that the associated data processors are also in compliance with the controller’s policies.

Data controllers will also have to prove that the administrative structure, which may include the DPO, the privacy group and/or the information security group, is proportionate to the size and structure of the company. As a whole, that means that they must be of the size and structure to ensure compliance within their own organizations and the data processors’ organizations and still have the capacity and ability to handle data owners’ petitions and requests.

Bottom line: However big the company, the program needs to start with at least one person or group.