In the central American region, the legal framework must guarantee the confidentiality of personal data. In terms of security policies, seven out of 10 large companies in central America claim to have them defined, dictating how employees should behave when using the company's computing resources, and how to use data in a confidential manner. However, in order to face growing vulnerabilities and risks, any internal policies or regulations established within companies need to be complemented with proper technology. In both El Salvador and the rest of the region, companies are rethinking their security strategies including their policies, work regulations and internal processes.
The objective of information security is to protect data, and try to avoid its loss and non-authorised modification. The protection must first guarantee the confidentiality, integrity and availability of the data but there are other requirements, such as authenticity.
The push behind implementing different protection measures stems from the self-interest of the company itself or the person handling the data. This is because the loss or modification of data may cause substantial damage (tangible or intangible) to the company, considering that the implementation of protection measures is directly related to the level of investment of resources and operational costs related to its processes.
To be successful, it is essential that protection measures are feasible in practice, that is, that they fulfil their purpose when incorporated into the institutional operating processes, and that people take ownership of them.
It is important that the people who apply the measures know and understand their purpose and transcendence. To accomplish this, employees have to be properly trained in their use in such a way that they see it as an organic need and not as a labor barrier.
These measures are a continuous process, their management, maintenance and updatemust be integrated into the operational business, backed by rules (internal policies and/or internal work regulations in accordance with the legislation of each country) that standardise their application, control and the sanctions in case of non-compliance.
For all the above mentioned, our general recommendation is to comply as much as possible with the OECD's non-binding, technologically-neutral principles, which are being used internationally to establish either a legal framework or an industry standard. The eight Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data apply to both governmental and commercial uses of personal data. They call for (1) limiting the collection of personal data and ensuring that such information should only be obtained by lawful and fair means and, where appropriate, with the knowledge o consent of the data subject; (2) ensuring that the information collected should relevant to the purposes for which they are to be used, accurate, complete and up-to-date; (3) specifying the purposes for which personal data are collected; (4) not disclosing or using data for purposes other than those specified in advance; (5) protecting the data by reasonable security safeguards; (6) establishing a general policy of openness about developments, practices and policies with respect to personal data; (7) giving individuals the right to obtain personal data within a reasonable time and in a reasonable manner; and (8) holding data controllers accountable for complying with the requirements of these principles.
Consortium Legal in central America is at the forefront of technology, strengthening its practice areas with complementary areas of practice specialising in data protection, new technology, computer security, digital crime and corporate compliance.
|María Alejandra Tulipano Illueca|