In this submission, we will continue to develop the basic steps that should be followed in order to consolidate a basic system of data protection management that conserves its vitality and dynamism through time:

  1. Develop simple tools that go in accordance with your business, do not copy or assemble generic tools just because it is required by law as you can take this as an opportunity to give them your personal signature without leaving behind the basic premises of data protection. This is the only way in which you will sensibilize people with the topic and impregnate it in the DNA of your business.
  2. Do not underestimate any situation: analyze and examine with extreme detail the petitions, complaints, and claims that are formulated by your clients, employees, providers, and third-persons. This is the best way to learn the fears and worries surrounding the treatment of personal information and in turn generate a language and specific tools that allow you to have an informed, reasonable and efficient data treatment.
  3. Qualify, educate and update your employees and providers, especially when providers might become in charge of the personal information treated. Don’t miss the opportunity to sensibilize and highlight the importance of the topic, as the main goal should be that every person internalizes the obligations regarding personal information, is in full capacity to identify the risks of its treatment and has the proper tools to handle it.
  4. Lastly, maintain a constant monitoring system and develop a thorough audit. As Officer of Data Protection, you should prepare simple but adequate reports to explain the gradual advances of the program that is being developed; conserve full traceability of your administration and accumulate the acquired knowledge. Stimulate your employees to know, understand and ask whenever they have any doubts and furthermore to comply with your internal policies and procedures generated regarding data protection.

There’s a lot to do and every single thing counts.

A whole culture cannot be consolidated in a year,

But the accumulation of various years of work will give businesses the tranquility of working in a consistent manner and will endow them with knowledge so that even their own employees will develop and propose innovative and refined practices every single day that incorporate from the beginning a transparent and informed treatment of personal data

It is not an extra load,

It is an opportunity to relearn, to give value to something that had never been conceived as important in your business as its real dimension had not been yet discovered, and to move forward in a safer manner.

To the Authority in Data Protection of Colombia (SIC for its acronym in Spanish), this principle is completely relevant when it comes to evaluating the behavior of businesses in an investigation, also because it involves the general responsibility that administrations have to do everything that is needed in order to comply with the standing legislation.

Recently, there have been several cases in which this principle has been included as a factor to analyze the conduct of the business, such as the investigations against Bancolombia, Fallabela, Linio and others:

  1. “Application of the Principle of Demonstrated Responsibility (Accountability): It is not applicable when the internal policies were implemented after the event that led to the sanction. Responsibility of the administrators: the legal and economic responsibility regarding the treatment of personal data lies in the shoulders of the administrators, that should proceed with professionalism and diligence when it comes to the management of data protection”

  1. “Duty to implement effective, appropriate and verifiable measures: the person responsible for the treatment and management of data should implement effective appropriate and verifiable measures”