Many organizations know they have obligations under Law 25 but don't know how to turn that awareness into concrete action. The challenge is usually not a lack of willingness; it's a lack of structure.
Here are the five first steps to assess your situation and begin a serious compliance process.
Step 1: Designate a Privacy Officer
Before anything else, formally designate a Privacy Officer. This role already exists in your organization, whether or not you've made it official: someone is making decisions about digital tools, vendor contracts, and HR practices. Law 25 requires that this responsibility be explicit and that the designated person be publicly identified.
This does not have to be a full-time position. In small and medium businesses, it's often the CEO or IT manager who takes on this role alongside other responsibilities. What matters is that the person has real authority to act, not just a title.
Step 2: Inventory Your Data
You cannot protect what you don't know you have. A personal information inventory answers four questions:
- What information do you collect? (names, emails, health data, financial data, etc.)
- Where is it stored? (internal servers, cloud, workstations, shared spreadsheets)
- Who has access? (employees, contractors, partners)
- Why do you hold it? (what purpose justifies each category of data)
This exercise often reveals data retained without a clear reason, overly broad access permissions, or vendors processing your data without a formal agreement in place.
Step 3: Assess Your Current Practices Against the Obligations
Once the inventory is done, compare your current practices to the law's requirements. You have the data: do you have consent to use it? You have employees: have they received specific training on personal information protection? You have IT vendors: do you have up-to-date confidentiality agreements?
This step produces a list of gaps. It is not a list of problems; it's a starting point.
Step 4: Prioritize the Gaps
Not all gaps present the same level of risk. Here is a simple prioritization framework:
- High priority: sensitive data (health, finances, data about minors) without adequate security measures; no designated Privacy Officer; no process for handling access requests
- Medium priority: non-existent or outdated privacy policies; untrained staff; no incident register
- Low priority: incomplete documentation; informal but functional processes that simply need to be formalized
Focus your first actions on high-priority items. The rest will follow.
Step 5: Build a Roadmap
An assessment without an action plan produces only anxiety. Turn your prioritized gap list into a plan with assigned owners, deadlines, and identified resources.
The roadmap doesn't need to be complex. For most organizations, three to six months is enough to address high-priority items. The goal is not immediate perfection; it's measurable progress.
Structure Matters as Much as Intention
Law 25 compliance is not a one-time project. It is an organizational capability you build over time. Organizations that do well are not necessarily those with the most resources; they are the ones with a clear method.
Observantia follows exactly this five-step process. Its assessment engine guides you through the inventory, gap analysis, and prioritization, then generates a compliance report and a customized roadmap for your organization.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.