What is already being done (and works)

El 1 de diciembre de 2026 marcará un momento decisivo para las empresas chilenas: entrará en plena vigencia la Ley 21.719 de Protección de Datos Personales (LPDP). Falta poco más de un año para que esta norma transforme la forma en que organizaciones de todos los tamaños tratan la información de clientes, trabajadores y proveedores. No se trata de un simple ajuste legal, sino de un cambio estructural que puede costar millones si no se aborda con planificación y visión estratégica. La LPDP establece multas que van desde sanciones leves de hasta 100 UTM, pasando por graves que alcanzan 1.000 UTM, hasta muy graves que llegan a 20.000 UTM, equivalentes a aproximadamente 1,4 millones de dólares. Estas sanciones pueden aumentar un 50% si no se corrigen oportunamente las fallas y triplicarse en caso de reincidencia. Además, la creación de la **Agencia de Protección de Datos Personales** pone en la cancha a un nuevo regulador autónomo con la capacidad de fiscalizar y sancionar.

Sectores en la mira

A poco más de un año de la vigencia plena de la Ley 21.719, una pregunta incomoda a equipos de producto y datos: ¿cómo innovar rápido y a la vez cumplir con las Evaluaciones de Impacto en Protección de Datos (EIPD)? En demos, nadie duda; en producción, los plazos sí. Chile no parte de cero: el espejo europeo (GDPR) dejó una lección simple y costosa—si la evaluación llega tarde, el rediseño sale caro y el regulador pierde la paciencia.

¿Qué cambia con la EIPD? No es un informe para “adjuntar”, es un diseño de riesgo que se mete al corazón del proyecto. Exige mapear datos, justificar bases legales, medir sesgos y definir salvaguardas antes de lanzar. Aplica cuando el tratamiento pueda impactar en serio a las personas: IA que perfila y decide, datos sensibles, observación sistemática, grandes volúmenes a escala. En Chile, además, la futura Agencia podrá pedir evidencias o frenar tratamientos si el riesgo residual sigue alto.

El desafío real no es jurídico, es operativo: cómo no matar el time-to-market. En la práctica, el “cuello de botella” aparece cuando la EIPD se realiza como trámite final. Las compañías que van ganando la partida hicieron un giro sencillo: llevar la EIPD al diseño y repartirla en iteraciones cortas.

Lo que ya se está haciendo (y funciona)

In fintech, teams working on scoring and fraud adhere EIPD to the ML pipeline: a light screening per sprint (is there sensitive data?, does the purpose change?, does it increase risk?), a deeper pause before going to production, and model cards that document variables, biases and minimal explainability. Result: fewer regulatory surprises and faster design decisions.

In retail, the bottleneck was in omnichannel: inconsistent consents between web, app and physical store. The answer was to centralize preference management and create a single data map for campaigns, CDP and CRM. The collateral benefit surprised the business: less legal friction and better segmentation because the bases are clean and justified.

Banking stumbled over legacy and third parties. The winning move was to sort data lineage end-to-end, separate environments and renegotiate contracts with enforceable privacy clauses. EIPD ceased to be “paper” when Risk, Legal, Data and Product sat down to decide trade-offs at the same table.

In healthcare, the priority was to close accesses and apply anonymization/pseudonymization by default on clinical records. Here the reputational impact outweighs a fine: the project only moves forward if security is tangible and auditable.

In telecommunications, the pain was scaling granular consent to millions of customers. The effective approach: a preference panel that revokes in minutes, with technical traceability and audit-ready evidence.

In mining, the friction is in access biometrics and geolocation at sites. The EIPD orders supplier chains, delimits what personal data is really necessary and separates operational telemetry from identifiable information. Less risk surface, more operational continuity.

How to prevent EIPD from becoming a deterrent

  • Bring EIPD to discovery. Two phases: early (rapid) screening + in-depth assessment only when risk demands it. If everything is “high risk”, nothing is.
  • Automate the repeatable: inventory and lineage, data classification, legal basis, third party lists, retention/deletion. Fewer spreadsheets, more auditable evidence.
  • Mixed team, same priority: Legal, Safety, Data and Product decide together. EIPD is not “output control”, it is design criteria.
  • Proportionality rule: low-risk projects should not expect the same level of detail as a biometrics or AI case that affects profits.
  • Simple metrics: time to complete EIPD, critical findings per sprint, % of regularized datasets, MTTR of privacy corrections. What gets measured, gets improved.

What Europe left behind (and should import)

When the European DPIAs reached the end of the project, there were months-long delays, re-bidding and, in high-profile cases, penalties for late or insufficient evaluations. The twist was to treat them as a design lever: cheaper and faster in the idea phase than in the post-mortem of deployment. Moral for Chile: “privacy roadblocks” are not inevitable; they appear when the EIPD enters after the business promised dates.

The clock is ticking. With only 14 months to go until December 1, 2026, Chilean companies face a clear choice: invest today in compliance or risk millions of dollars in fines and loss of confidence tomorrow. The decision is not legal, it is strategic.

Realistic schedule (without bureaucracy)

  • Now: screening of the entire portfolio to decide where there will be a full EIPD. Templates by project type and risk criteria accepted by Legal and Product.
  • Next 3-6 months: EIPD dry-runs on flagship projects, single evidence repository and adjusted third-party contracts.
  • Before August 2026: simulations of holder’s rights and end-of-cycle internal audit. Avoid high-risk changes without closed EIPD as of October.
  • November 2026: go-live checklist and dashboard with privacy operating metrics.

EIPD is not an obstacle: it is a way of thinking about the product. Integrated into the design, it reduces surprises, legitimizes innovation and leaves you better positioned in front of clients and regulators. With surveillance coming into force in December 2026, Chile will reward those who design with privacy from the start. Those who do, will launch more securely and with less friction. Those who don’t will learn the hard way.

More Articles:

November 28, 2025: Are your systems ready for a glitch-free Black Friday? How observability can save millions in LATAM

Explore: Facebook-f Instagram Linkedin November 28, 2025: Are your systems ready for a glitch-free Black Friday? How observability can save millions in LATAM The countdown has begun On **November 28, 2025**, millions of Latin American consumers will once again flood digital platforms in search of discounts during **Black Friday**, one of the most critical commercial events in the annual calendar.

Read More "

The domino effect of December 2026: Chile faces new data protection standard

Explore: Facebook-f Instagram Linkedin The domino effect of December 2026: Chile faces new data protection standard December 1, 2026 will mark a decisive moment for Chilean companies: Law 21.719 on Personal Data Protection (LPDP) will come into full force and effect. It will be just over a year before this regulation transforms the way in which organizations of all sizes

Read More "

Automation, AI and data: the new technological core of Latin American retail by 2026

Explore: Facebook-f Instagram Linkedin Automation, AI and data: the new technological core of Latin American retail by 2026 Retail in Latin America is undergoing a profound digital transformation. The integration of artificial intelligence (AI), big data, automation and omnichannel strategies is redefining the region’s competitiveness against global giants such as Amazon, Alibaba and Walmart. The bet not only seeks operational

Read More "

Latin American retail towards 2026: AI, automation and data as new competitive core

Explore: Facebook-f Instagram Linkedin Latin American retail towards 2026: AI, automation and data as new competitive core Retail in Latin America is undergoing an accelerated transformation. The combination of automation, artificial intelligence (AI) and big data is redefining operations, customer experience and competitiveness. Investment in smart retail technologies will grow globally by 24.9% annually until 2026, reaching US$68.8 billion, and

Read More "

Itaú Emps: Generative AI and data at the service of entrepreneurs

Explore: Facebook-f Instagram Linkedin Itaú Emps: Generative AI and data at the service of entrepreneurs Latin American banks are beginning to look at SMEs and entrepreneurs not only as customers, but also as a driver of innovation. In this context, Itaú launched Itaú Emps, a digital laboratory that functions as an experimental environment to design and test financial solutions tailored

Read More "

Santander and OpenAI: towards the first native artificial intelligence bank

Explore: Facebook-f Instagram Linkedin Santander and OpenAI: towards the first native artificial intelligence bank Banco Santander has just taken a decisive step in its technology strategy: a partnership with OpenAI to accelerate its transformation into an “AI-native bank”. With 15,000 employees in Europe and the Americas already using ChatGPT Enterprise in their daily tasks – one of the fastest deployments

Read More "

Send us a message