Changes in Cybersecurity and Data Protection in Chile (2025)

Chile is undergoing a major update of its legal framework for cybersecurity and personal data protection. Two key regulations stand out:

1. Cybersecurity Framework Law (Law No. 21.663) – Enacted in 2024, sets rules to prevent, manage, and report cybersecurity incidents at the national level.

2. New Personal Data Protection Law – Aligned with the European GDPR standard, is currently in the implementation process (project already approved in general).

Both laws are mandatory for public and private organizations and change how they must handle information and respond to digital incidents.

✅ What changes for everyone:

• • Mandatory reporting of cybersecurity incidents within specific timeframes (24–72 hours).

• • Designation of security and privacy officers within organizations.

• • More frequent audits, fines, and inspections by the Data Protection Agency (new entity).

• • Obligation to obtain clear and explicit consent for the use of personal data.

• • Technical and organizational security measures required by law.

• • Greater control over sensitive data (diagnoses, medical history).

• • Requirement for encryption, access traceability, and management of informed consent.

• • Telemedicine platforms must demonstrate robust protection measures.

• • Schools, universities, and educational apps must ensure student privacy.

• • Restrictions on the use of biometric data (e.g., facial recognition in classrooms or online exams).

• • Mandatory consent for the processing of minors' data.

• • Companies must update their privacy policies and consent mechanisms.

• • Security measures for payment systems and transaction data management will be required.

• • The use of analytics, cookies, and targeted marketing must be clearly disclosed and authorized.

• • All AI systems handling personal data must ensure transparency, explainability, and data minimization principles.

• • Regulatory risk for algorithms making automated decisions (e.g., credit scoring, candidate selection, etc.).

• • The concept of "impact assessment" before deploying AI systems is being reinforced.

• • Stronger protection is required for client and policyholder data, including medical and financial histories.

• • Systems must include active incident monitoring.

• • Digital contracts and processes require proof of valid consent and treatment logs.

• • Any loyalty system, CRM, smart camera, or connected POS must comply with the new regulation.

• • Storing proof of consent is mandatory, and users must be able to request data deletion (right to be forgotten).

1. Cybersecurity and compliance maturity assessment.

2. Update contracts, privacy policies, and terms of use.

3. Internal training on new legal responsibilities.

4. Appoint a DPO (Data Protection Officer) for medium or large companies.

5. Establish incident response plans.

6. Review AI systems, algorithms, and surveillance technologies.

These changes are not just legal—they are strategic and reputational. Companies that act now will protect not only their assets but also their customers’ trust. And in digital times, that’s gold. If you want to learn more about this and other topics related to data security and what this legal shift means, here’s a link to schedule an online meeting.

At Youtouch, we help you adapt to this major shift through the following services:

• • Diagnostic

• • Action plan

• • IT updates

• • Expert guidance

🛡️ If you’d like to learn how our service works, here’s the link to book a meeting.