Youtouch
Back to blog

Changes in Cybersecurity and Data Protection in Chile (2025)

July 10, 2025
July 10, 2025
General Context

Chile is undergoing a major modernization of its legal framework for cybersecurity and personal data protection. Two key regulations stand out:

  1. Cybersecurity Framework Law (Law No. 21.663) – Enacted in 2024, sets rules for preventing, managing, and reporting cybersecurity incidents nationwide.

  2. New Personal Data Protection Law – Aligned with the European GDPR standard, is in the implementation phase (project already generally approved).

Both laws are mandatory for public and private entities and reshape how organizations must handle information and respond to digital incidents.

How does this affect your company and your clients?

✅ What changes for everyone:

  • • Mandatory reporting of cybersecurity incidents within specific timeframes (24–72 hours).

  • • Appointment of security and privacy officers within organizations.

  • • More frequent audits, fines, and inspections by the Data Protection Agency (new entity).

  • • Clear and explicit consent required for the use of personal data.

  • • Legally mandated technical and organizational security measures.

Sector-specific impact:

Health Salud: Health:

  • • Increased control over sensitive data (diagnoses, medical history).

  • • Requirement for encryption, access traceability, and management of informed consent.

  • • Telemedicine platforms must demonstrate robust protection measures.

Education Education:

  • • Schools, universities, and educational apps must guarantee student privacy.

  • • Restrictions on the use of biometric data (e.g., facial recognition in classrooms or online assessments).

  • • Mandatory consent for processing minors’ data.

Ecommerce E-commerce and Retail:

  • • Companies must update privacy policies and consent mechanisms.

  • • Security measures will be required for payment systems and transactional data management.

  • • The use of analytics, cookies, and targeted marketing must be clearly disclosed and authorized.

IA Artificial Intelligence

  • • Any AI system that processes personal data must ensure transparency, explainability, and data minimization.

  • • Regulatory risk for algorithms making automated decisions (e.g., credit scoring, candidate selection, etc.).

  • • Emphasis on conducting “impact assessments” before deploying AI-based systems.

Insurance Insurance and Financial Sector

  • • Greater protection required for client and policyholder data, including medical and financial records.

  • • Systems must have active monitoring of incidents.

  • • Digital contracts and processes must provide valid consent evidence and treatment logs.

Retail Physical and Digital Retail

  • • Any loyalty system, CRM, smart cameras, or connected POS must comply with the new regulations.

  • • Required to store evidence of consent and allow users to request data deletion (right to be forgotten).

What should companies do now?

  1. Assess cybersecurity maturity and legal compliance.

  2. Update contracts, privacy policies, and terms of use.

  3. Train internal teams on new legal responsibilities.

  4. Appoint a DPO (Data Protection Officer) in medium or large companies.

  5. Establish incident response plans.

  6. Review AI systems, algorithms, and surveillance technologies.

Final Thought

These changes are not only legal—they are strategic and reputational. Companies that act now will protect not only their assets but also their clients' trust. And in digital times, trust is gold. If you want to learn more about this and other data security-related topics and what these legal changes imply, here’s a link to schedule an online meeting.