What is Mexico’s Federal Data Protection Law?
In the last two decades, data breaches became a real threat to the people and the Mexican authority understood it. The Federal Law on the Protection of Personal Data held by Private Parties, also called “the law”, was approved by the Mexican congress and came into action on July 6, 2010. The regulation applies to private individuals and legal entities who process data on the Mexican territory, and use mean located in Mexico to process personal information.
A large number of companies from different sectors such as retail, insurance, travel are subject to the law and are obliged to follow it. The Mexican regulatory body is allowed to perform on-site inspections and control the organization’s facilities to verify that they comply with the law. Violations of the regulation may result in monetary penalties up to 320,000 times the minimum wage and up to 5 years of imprisonment.
Requirements
Right of Access to Data / Copies of Data:
Data owners have the right to access and consult their personal information that is held by the data controller at any time they request.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right to Deletion / Right to Be forgotten:
Data owners have the right to require the cancellation of their personal information at any time. This request will result in a blocking period, after which the organization will delete all relevant data. In some cases, the controllers may have to keep the personal information of data owners for the purposes of the responsibilities regarding the treatment.
How SecuPi Helps:
On the application level, SecuPi redacts information on customer who requested to be forgotten (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.
Right to Object and Restrict Processing:
In any case, data owners have the right to object and restrict the processing of their personal information due to a legitimate reason.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right to Withdraw Consent
Data subjects have the right to withdraw their consent for the treatment of their personal information. It is the role of the controller to establish easy and free mechanisms that allow data holders to withdraw consent at least by the same means by which they gave it.
How SecuPi Helps:
To enforce the right to object, for any purpose, SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request). Using Dynamic Masking and redaction, SecuPi can disable access to data subjects where consent wasn’t given or where the customer requested to restrict processing of personal data.
Breach Notification:
Article 64 of the new regulation requires organizations to notify individuals without delay as to any breach that affects their moral or patrimonial rights as soon as they acknowledge a breach has occurred.
How SecuPi Helps:
In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
