In Ecuador, starting next May 26, companies and organizations could be subject to sanctioning procedures for not applying the provisions of the Personal Data Protection Law, such as having the owner’s permission to handle their personal data on their platforms.

If the client does not approve the use of his personal data, he may be left without any service or benefit, sanctions will follow in a few days

Diego Bassante, Ecuadorian and head of government and regulatory affairs for IBM in the region, The saving fact is that Ecuador has a regulation that makes it possible to strengthen security in the handling of personal data, but that the most important thing in this whole process is to implement a cultural change in people and organizations. What data do I expose on social networks and what security mechanisms do companies use to protect their customers.

How is Ecuador in relation to the application of the Data Protection Act?

The processing of personal data is necessary and unavoidable in the current economy and we are all affected, as IBM we celebrate and as an Ecuadorian I celebrate that there is a law in Ecuador that protects personal data, which, although it took a decade, is sound.

Why should we as citizens be especially careful in handling personal data?

What the law does is enable citizens to dispose of their personal data, through what is known as ARCO rights (Access, Rectification, Cancellation and Opposition of personal data). This law does not propose a technological change, a process change, a change in the direction of investment in organizations, but a cultural change, and based on this, the law has set a deadline that expires on May 26, 2023, for public and private organizations can adjust the law.

What data should we protect and how should companies act?

Faced with the law, there are three areas in which the organization must act: cultural change; the administrative and financial part of the company where you have to allocate resources, time and energy to protect personal data, this means staff training. In addition, the law has a new figure such as the personal data protection officer, who is responsible for managing and advising the company in accordance with the law. At IBM, we have experience in this and comply with personal data protection laws in more than 175 countries, and we believe that in the Ecuadorian case, companies and organizations must implement the notion of continuous compliance with the law, as they must implement privacy by default in product design and service as an organization and training that is important.

What are the obligations of companies under this law?

Identify their databases, as one of the things that Ecuadorian law says is that organizations must register databases and for that each company must state what they are and where they are located.

Do you have to have the express consent of citizens or users to obtain these bases?

Of course, but not only must you have consent, but you must respect the principle of purpose, treatment and the principle of information. Purpose and treatment refers to the fact that personal data must be used for certain explicit and legitimate purposes; in fact, one of the violations of the law could be using the data for a purpose that is not permitted. The company may have consent to use that data, but it’s not a blank check. In the principle of information, it refers to the fact that the owner of the data has all the complete information about what the purpose of his data will be.

In addition, does the consent of personal data have a time of use?

Right, and it’s not just about time, but also about the amount and type of data being collected; this is known as the data minimization principle, i.e. personal data should be collected to the extent necessary. For example, a telephone company cannot ask for information about your medical condition; in other words, don’t ask for more data than necessary and don’t store it longer than necessary.

In terms of security, how can a citizen be sure that his personal data is not used outside the border?

At IBM, we are focused on the fact that the Personal Data Act must protect so that there can be a free and secure flow of data, enabling not only business, but also innovation. This is related to cyber security, because data cannot be protected if I do not have cyber security in my company; So this means that every organization must have systems to manage and control the who, what and why. The security team at IBM monitors more than 150 billion security events per day, and the average company needs 331 days to prevent a data breach in Latin America.

Do you have any information on how far Ecuador has progressed in terms of data protection, as sanctions for those companies that do not apply the law begin this month?

We do not have specific studies on Ecuadorian companies in terms of compliance with the law, but what we do know is that companies that implement security systems in handling their data, that use technology in cultural change, represent a percentage of older people. A recent IBM study reveals that globally, organizations that have fully implemented automation and artificial intelligence in their data security management have achieved savings of 65.2% compared to companies that have not, and have the opportunity to detect and contain cyber attacks 2.5 months faster.

What can businesses rely on IBM to improve personal data management?

We can improve the vulnerabilities that the organization has, that is, we can help detect incorrect configurations and other errors in hardware and software in data sources maintained by the organization, and even if the data will be processed by powerful new technologies such as artificial intelligence, users must be informed about these technologies; In addition, the systems used to manage data must be transparent, explainable and able to mitigate harmful and inappropriate biases. We can implement techniques like so-called encryption, which can prevent attacks, and if there are any, the attackers can’t get anything valuable to extort money from.

What is there for citizens who do not have companies?

There is also work for citizens, i.e. taking care of personal data is not exclusive to companies, but we as data owners also have a responsibility to take care of data. We need to start implementing simple actions, for example, not posting too much information on social networks. People must be the first custodians of our data, for example on different platforms when a person forgets the platform, wonders what was his first school, what was the brand of your first vehicle, etc., and if I have all this public information distributed on the Internet, I will be exposed to vulnerability.

What are the recommendations that we can give to the public regarding the application of the Personal Data Protection Act, what should we take into account?

In order to raise those antennas and be ready for such situations, we must be aware of a cultural change that should not only be at the business level, but also at the individual level, which is the awareness that I, as a citizen, am the owner of my personal data and understand that some data is sensitive, and I take actions to protect it, I don’t publish it or give it to those I don’t think should have it; but ultimately, companies must see this regulation as a support for their business, as a channel for building user trust.

What is missing in Ecuador to fully implement the regulations that are in force from 2021?

What is missing in the state is the appointment of a control body, the appointment of supervisors, which is provided for by law, for which the President of the Republic must send the appropriate shortlist to the Council for Citizen Participation and Social Control for his selection. This will mark the field.