The essentials in 30 seconds
- Privacy done well is a seal of credibility: it turns compliance with Law 21.719 into trust your customers can perceive.
- Trust is not declared, it is demonstrated: clear policies, verifiable consent and timely handling of data subject rights.
- The benefits are measurable: more loyalty and lifetime value, better conversion, less exposure to fines and shorter B2B sales cycles.
- The path: assessment → governance → deployment → continuous improvement, with KPIs that demonstrate value.
- Compliance is mandatory from December 1, 2026; it is worth using the transition period to close gaps.
For most companies in Chile, Law 21.719 is experienced first as a legal obligation. But those who approach it strategically discover something more valuable: data protection, done well, becomes one of the best engines of customer trust. In a market that is increasingly aware of its privacy, demonstrating that you handle data with care stops being a compliance cost and becomes a competitive advantage.
In this article we break down why privacy builds trust, what concrete and measurable benefits it brings to the business and how to implement it in phases. If you are looking for a complete view of the regulation, start with our definitive guide to Law 21.719.
What changes with Law 21.719
Law 21.719 regulates the processing of personal data and creates the Personal Data Protection Agency. It was enacted in late 2024, with deferred entry into force starting in December 2026.
The law emphasizes principles such as lawfulness, purpose limitation, minimization, transparency and proactive responsibility (accountability). It requires technical and organizational measures proportionate to risk, incident management, records of processing activities, impact assessments where applicable, and higher information standards toward data subjects.
Key changes:
- A framework aligned with global standards (for example, GDPR)
- A specialized agency with oversight and sanctioning powers
- A stricter sanctioning regime: fines of up to 20,000 UTM (and up to 60,000 UTM with recidivism)
- Emphasis on transparency, data subject rights and risk management
Compliance is mandatory from December 1, 2026, after a 24-month adjustment period counted from its publication on December 13, 2024. We go deeper into the sanctions regime in the definitive guide to Law 21.719.
How privacy builds trust
Customer trust is built on perceptions of security, control and transparency. Privacy done well acts as a "seal of credibility": when a brand clearly explains what data it collects, why and for how long, and demonstrates that it respects user choices, it reduces friction and enables a long-term relationship.
Trust is not declared; it is demonstrated through:
- Accessible policies
- Understandable notices on forms
- Verifiable consent
- Timely responses to rights requests
- Honest communication when incidents occur
In B2B markets, maturity in privacy, metrics and audits accelerates approvals and reduces barriers to entry with counterparties that require equivalent frameworks.
Measurable benefits for the company
The benefits of investing in privacy combine intangible impacts (reputation, brand preference) and tangible ones (efficiency, lower risk, revenue):
- Loyalty and higher lifetime value by reducing customer uncertainty
- Better data quality and conversion rates thanks to clear consent and preferences
- Reduced exposure to fines and incident-related costs
- Operational efficiencies through records of processing activities, request automation and impact assessments
- Commercial enabler: facilitates third-party audits, partner agreements and international expansion
Standardization and evidence of compliance improve the customer's risk perception, open commercial conversations and sustain results over time. You can see how we approach it with real clients in our case studies.
Trust is not marketing. A privacy promise only builds trust if it is backed by evidence: consent records, rights handling within deadlines and traceability of decisions. Promising more than you can demonstrate erodes reputation faster than promising nothing at all.
Obligations the customer perceives
Although the law incorporates multiple requirements, there is a subset that the user experiences directly:
- Transparency in privacy policies: what data, for what purpose, on what legal basis, for how long and with whom it is shared
- Consent: where applicable, with a traceable record of the user's preferences
- Data subject rights: access, rectification, erasure, objection, portability and timely handling
- Breach notification: when there is significant risk to data subjects, in clear language and with mitigation actions
A phased strategy for implementation
- Assessment: Inventory processing activities and data flows, identify legal bases, classify risks, map third parties and detect gaps
- Governance: Define policies, a privacy committee, owners, RoPA (records), an audit calendar, a DSAR mechanism and a training plan
- Deployment: Embed privacy by design, standardize forms and consents, implement cookie management, activate DPIAs where applicable
- Operation and continuous improvement: Simulate incidents, review vendor contracts, update risk matrices, track metrics and report progress
A privacy management platform helps sustain these phases with automation and traceability. We go deeper into the how in implementing OneTrust in Chile.
Communication best practices
Communication turns compliance into perceived trust. It is not about "more text," but about clarity and control:
- A privacy policy in plain language, with an executive summary up front
- Contextual notices next to forms and submit buttons, explaining purposes and legal basis
- A preference center with readable options and consent traceability
- Responses to requests with deadlines and statuses visible to the user
- Transparency when incidents occur: explaining impact, measures taken and practical recommendations
Back-office and security that uphold the promise
The customer experience depends on solid internal processes:
- Minimization and retention: collect only what is necessary, define timelines and secure deletion mechanisms
- Security proportionate to risk: encryption in transit and at rest, multi-factor authentication, identity and access management, segmentation and backup
- Impact assessments (DPIAs): for high-risk processing and periodic reviews
- Contracts with data processors: incorporating privacy and security clauses
- Logs and evidence: records of consents, rights handling, incidents and audits
KPIs to demonstrate value
- Opt-in rate by channel and consent quality
- DSAR SLA: average response time and percentage within the deadline
- NPS or CSAT at sensitive stages (sign-up, checkout, data changes)
- Incidents: MTTA/MTTR, severity, notified vs. contained, corrective actions
- Audit findings: critical issues resolved, maturity by domain (data, cookies, third parties, security)
- Economic impact: hours avoided, savings on licenses and services, revenue variation attributable to consent and preference practices
Mini-cases by industry
Retail and eCommerce
Risk: Forms without a clear legal basis and excessive tracking. Measures: Cookie management with equivalent rejection, a preference center, consent tags by channel, readable policies. Benefits: Fewer complaints, better lead quality and higher conversion.
Healthcare
Risk: Sensitive data with insufficient controls. Measures: DPIA, minimal access controls, encryption, access audits, limited retention and a breach protocol. Benefits: Patient trust, lower exposure to incidents and fines.
Financial services
Risk: Opaque use of profiles and automated decisions. Measures: Documented legal basis, scoring explainability, objection mechanisms where applicable and reinforced security. Benefits: Lower churn from mistrust and greater regulatory resilience.
B2B SaaS
Risk: Weak contracts with processors and sub-processors. Measures: DPA, security addenda, sub-processor records and periodic reporting. Benefits: Shorter sales cycles and less friction in due diligence.
Education
Risk: Inadequate consent for minors and reuse of academic data. Measures: Clear notices and permissions for guardians, limited profiles, minimal retention and platform security. Benefits: Family trust and operational continuity.
Common mistakes to avoid
- Treating privacy solely as a legal matter or solely as an IT issue; it requires cross-functional coordination
- Lengthy but unintelligible policies; clarity is key to trust
- Ambiguous or pre-checked consents; they compromise validity and reputation
- Failing to record evidence; this hinders audits and defense before the authority
- Not training front-line teams; human error is one of the leading sources of incidents
Turn compliance into trust.
We help you build a privacy program that your customers can perceive. A 30-minute assessment.
Schedule an assessmentFrequently asked questions
When does Law 21.719 take effect?
It was published on December 13, 2024, and compliance is mandatory from December 1, 2026, after a 24-month adjustment period. We recommend using the transition period to close gaps.
What are the maximum fines for non-compliance with Law 21.719?
Violations are classified as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM). In case of recidivism the fine can be tripled—up to 60,000 UTM—or a percentage of annual revenue from sales and services in Chile (2% for serious recidivism and 4% for most-serious) for companies that are not small businesses. The Agency may conduct oversight and order corrective measures.
Must all data breaches be notified?
No. The risk to data subjects is assessed. When there is significant risk, the authority and, where applicable, the affected individuals must be notified, in clear language and with mitigation actions.
Why can data protection improve business results?
Because it reduces friction and raises the customer's perception of security and control. A professionalized privacy program improves data quality and conversion rates, builds loyalty, accelerates B2B approvals and reduces exposure to fines and incident-related costs.