It's time to consolidate the internal privacy programs in Mexico; that is the message that the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) is giving with its recent publication of its Implementation Toolkit (the "Toolkit").
Since the publication of the FDPL in 2010, many data controllers in Mexico have relied in complying with the the most basic of obligations only: (i) delivering a privacy notice; (ii) obtaining consent from the data subjects; (iii) having a privacy function within their organizations; and (iv) maintaining some minimal level of security. Having such general compliance is absolutely necessary, but the INAI is recommending data controllers to step it up a notch and its even providing the tools to do it. The Toolkit is intended to help data controllers and data processors comply with their duty to maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing.
This Toolkit provides data controllers with an easy way to implement personal data security awareness within their internal privacy programs. The Toolkit includes different materials, including presentations, training materials and graphic materials intended to be disseminated throughout organizations to increase internal awareness. In addition, the Toolkit includes a basic evaluation that organizations may use to validate the privacy awareness of their employees.
We consider this to be a good initial aid into evaluating awareness, however this Toolkit does not replace more detailed audits or exercises to determine or validate the maturity of an internal privacy program. Nonetheless, we anticipate this will be of great help to organizations that are looking to take the next step in complaining with their obligations.
The implementation of the Toolkit by those responsible and in charge of the private sector will make it possible, on the one hand, to make their personnel aware of the importance of personal data protection and, on the other hand, to promote a culture of respect for the privacy of the users of their services, providing information related to Mexican legislation on the subject, with the obligations they must observe and with different elements to understand and guarantee the security of personal data.