There is one date every data committee in LATAM should have circled: December 1, 2026. That day, Chile's Ley 21.719 — published in December 2024 — comes into full force, rebuilding the country's personal data protection regime from the ground up. And it doesn't arrive alone: it brings an autonomous Data Protection Agency with the power to investigate on its own initiative, order processing suspensions, and publish a National Registry of Sanctions.
The fine regime defines three tiers — minor (up to 5,000 UTM), serious (up to 10,000 UTM) and gravest (up to 20,000 UTM, in the range of 1.4 billion Chilean pesos) — and for repeat offenders the penalty can escalate to 4% of annual revenue. It is the language of Europe's GDPR, spoken for the first time with a Chilean accent.
Brazil already showed what enforcement looks like
If Chile is the immediate future, Brazil is the present. The LGPD (Lei 13.709/2018) has been enforced since August 2021, and its authority — the ANPD — already applies a sanction-calculation methodology (Resolução CD/ANPD nº 4/2023). Article 52 of the law itself sets fines of up to 2% of revenue in Brazil, capped at R$ 50 million per infraction, plus sanctions that hurt as much as the money — blocking or deleting the data, suspending processing activity, and publicizing the infraction.
The Brazilian lesson is clear: the authority doesn't audit intentions, it audits evidence. And the wave doesn't stop at two countries — Panama, Ecuador and Peru have all renewed or regulated their frameworks in recent years. The regional direction is one.
What the laws actually ask for is data governance
Read either law with engineering eyes and the same list always appears:
- Where does personal data live? — PII inventory and classification across all systems, not just the CRM.
- Who answers for it? — defined ownership: data controllers with a name and a role.
- Why do you have it? — lawful basis and purpose documented per dataset.
- Until when? — lifecycle: demonstrable retention and deletion (the right to erasure isn't fulfilled with an email; it's fulfilled with a process).
- Can you prove it? — traceability: knowing which system fed which, and being able to show it to an auditor.
That list is not a legal checklist — it is the operational definition of a data governance program. Inventory and classification are a catalog with PII tagging. Ownership is a data operating model. Lifecycle and traceability are retention policies and technical lineage. Frameworks like DAMA-DMBOK and DCAM exist precisely to structure that — culture, organization, processes and technology — with method, not last-minute heroics.
That is why the write-the-policy-and-file-it approach fails against these laws: the document says what should happen, but the authority asks what is happening, where, and who answers for it. Without the operational layer — catalog, owners, lineage, quality — the policy is a wish.
Complying without over-engineering
The good news: compliance doesn't demand the world's most ambitious governance program — it demands the foundation, done right. It is the same foundation that later pays off in trustworthy analytics, cost optimization, and AI that doesn't hallucinate on orphaned data. Data First is also the compliance strategy: first know what data you have, who owns it and why it exists; then everything else.
The most expensive mistake is the reverse order: scrambling in November 2026 to buy a "compliance tool" without having solved ownership or inventory. A tool without a program produces empty evidence.
Where does your organization stand today? A data maturity assessment takes minutes and gives you an honest starting point — what is governed, what is orphaned, and what an auditor would ask you for tomorrow.
Sources: Ley 21.719 — Chilean National Congress Library · Lei 13.709/2018 (LGPD) — Planalto
