The essentials in 30 seconds
- Law 21.719 compliance is mandatory from December 1, 2026; from that date the Personal Data Protection Agency can audit and sanction.
- It is not a single document: it is 10 fronts that advance in parallel, from governance to training.
- The starting point is always the same: knowing what data you process (inventory and RoPA). Without that map, nothing else holds.
- The goal is not “having paperwork,” but being able to demonstrate compliance: that is accountability.
- Use the self-assessment at the end to locate your level and prioritize.
The question we hear most is not “what does the law say?” but “where do I begin?”. Law 21.719 introduces a paradigm shift —from a reactive approach to a proactive one— and that can feel overwhelming when viewed as a single block. The good news is that compliance can be broken down into manageable fronts, each with concrete deliverables.
This checklist is the same framework we use to structure an adequacy project. It does not replace a formal assessment —every organization processes data differently— but it lets you locate yourself, speak with confidence and prioritize. If you want the full legal picture first, read the definitive guide to Law 21.719.
How to use this checklist
Go through the 10 fronts and honestly mark the state of each point: done, in progress or pending. Don't seek perfection on the first pass; seek visibility. When you finish you'll have a heat map of your program and you'll know where the biggest gaps are. We recommend tackling fronts 1, 2 and 3 first: they are the foundation everything else rests on.
1. Governance and accountability
The law doesn't just require compliance: it requires being able to demonstrate it. That starts with defining who is responsible for data protection within the organization.
- Appoint an owner or Data Protection Officer (DPO), internal or external, with authority and resources.
- Secure formal backing from leadership (privacy as a governance topic, not just IT or legal).
- Define roles: who decides on the data (controller) and who processes it on their behalf (processor).
- Set up a committee or forum that reviews the program's progress regularly.
- Assign budget and a roadmap with milestones through December 2026.
2. Data inventory and Records of Processing Activities (RoPA)
This is the heart of compliance. You can't protect —or declare to the Agency— what you don't know you have. The RoPA is also one of the first documents requested in an audit.
- Build the data inventory: which categories of personal data you process (identification, contact, financial, health, biometric, etc.).
- Identify sensitive data, which require reinforced protection.
- Map where the data lives: systems, spreadsheets, cloud vendors, backups.
- Document the purpose of each processing activity and its lawful basis.
- Record flows and recipients: who accesses internally and which third parties it is shared with.
- Define retention periods and deletion criteria.
- Keep the RoPA alive: assign an owner to update it when a process changes.
3. Lawful bases and consent
Every processing activity needs a legal basis that enables it. Consent is the best known, but not the only one; using it when another applies is a common mistake.
- Assign each processing activity in the RoPA its corresponding lawful basis.
- Where the basis is consent, ensure it is free, specific, informed and unambiguous (a clear affirmative action).
- Eliminate implied or pre-ticked consent: it is no longer valid.
- Enable consent to be withdrawn as easily as it was given.
- Keep records and proof of consent (when, for what and how it was obtained).
- Review every capture point: web forms, contracts, apps, cookies, campaigns.
4. Data subject rights (ARSOP)
People can exercise their rights and your company must be ready to respond on time. These are the ARSOP rights: Access, Rectification, Suppression (erasure), Opposition and Portability (what used to be known as ARCO rights, extended with portability).
- Provide a clear, accessible channel to receive requests.
- Define an identity verification procedure for the requester.
- Establish an internal flow with owners and response deadlines.
- Prepare response templates for each type of right.
- Keep a log of requests received and resolved (evidence for the Agency).
Handling rights manually, case by case, works at low volumes but breaks down when many requests arrive at once. We cover the full process —deadlines, exceptions and templates— in how to respond to ARSOP rights requests.
5. Information security
The law requires technical and organizational measures appropriate to the risk. This is where IT, security and privacy converge.
- Apply access control under the least-privilege principle.
- Implement encryption in transit and at rest for sensitive data.
- Maintain tested backups and a recovery plan.
- Adopt privacy by design and by default in new projects.
- Apply pseudonymization or anonymization where possible.
- Document the measures: they are part of the compliance evidence.
6. Breach notification
A mishandled breach multiplies the legal and reputational damage. Preparation makes the difference between an orderly response and a crisis.
- Have an incident response plan with defined roles and steps.
- Establish how to detect and assess the severity of a breach.
- Prepare the notification to the Agency without undue delay and by the most expedient means (the law sets no fixed hour-based deadline; the 72-hour mark is an international best-practice benchmark), and the communication to affected individuals when the breach involves sensitive data, data of children and adolescents, or economic and financial data.
- Keep an incident log, even of those not notified.
- Rehearse the plan with a drill at least once.
7. Processors and agreements (DPA)
When a third party processes data on your behalf (a cloud provider, an agency, an HR system), you remain responsible. The contract is the tool to manage that risk.
- Identify all processors that access personal data.
- Sign or update the data processing agreements (DPA) with data protection clauses.
- Verify that each processor offers sufficient security guarantees.
- Regulate the use of sub-processors and require notification of changes.
- Include obligations of assistance with rights and breaches.
8. International transfers
If you send data outside Chile —common with cloud services— you need a basis that guarantees an adequate level of protection.
- Map which data leaves the country and where it goes.
- Verify the basis enabling each transfer (adequate level, contractual guarantees or others provided for).
- Document the guarantees applied to each flow.
- Review the chain when the provider in turn subcontracts outside Chile.
We go deeper on this front in extraterritoriality and international transfers.
9. Impact assessments (DPIA)
For high-risk processing —sensitive data at scale, profiling, automated decisions— the impact assessment is no longer optional.
- Define when a DPIA is triggered in your organization.
- Assess risks to data subjects and mitigation measures.
- Document the DPIA and review it when the processing changes.
- Integrate the DPIA at the start of new projects, not at the end.
10. Training and culture
The weakest link is usually human. A program without culture stays on paper.
- Train all staff who handle data, focusing on the most exposed areas (HR, marketing, sales, support).
- Keep evidence of training (attendance, dates, content).
- Publish clear, easily accessible internal policies.
- Reinforce key messages periodically, not just once.
Self-assessment: where does your company stand?
Count how many of the 10 fronts you have in the “done” state. This quick reading helps prioritize the internal conversation:
| Fronts “done” | Level | What it means |
|---|---|---|
| 0 – 2 | Initial | Starting point. The priority is the assessment and the inventory/RoPA to gain visibility. |
| 3 – 5 | Developing | There's a foundation, but critical fronts remain open. A plan with milestones and owners helps. |
| 6 – 8 | Advanced | Solid program. Focus on closing fine gaps and sustaining it (records, evidence, review). |
| 9 – 10 | Mature | Demonstrable compliance. The challenge is continuous improvement and keeping everything current. |
This self-assessment is indicative. Two companies with the same score can face very different risks depending on the type and volume of data they process. A formal assessment weighs that real risk.
Want to know exactly which fronts leave you exposed?
A Law 21.719 assessment translates this checklist into a prioritized plan for your organization. 30 minutes, no commitment.
Request assessmentFrequently asked questions
Where do you start to comply with Law 21.719?
With a gap assessment: build the inventory of the data your organization processes, where it is stored and with whom it is shared, and create the Records of Processing Activities (RoPA). Without that map you cannot assign lawful bases, assess risk or prioritize the rest of the program.
Are Records of Processing Activities (RoPA) mandatory?
Maintaining records of processing activities is a core piece of the accountability the law requires. A current RoPA is how you demonstrate to the Agency what data you process, for what purpose, on which lawful basis and with what security measures.
How long does it take to adapt?
It depends on the size and complexity of the processing. A typical project combines an initial assessment, remediation of priority gaps and the rollout of sustainable processes. The key is not to leave it for the end of the adequacy period: several actions (processor agreements, consent management, security) require coordination with third parties and implementation time.
What happens if my company is not ready in time?
From December 1, 2026, the Personal Data Protection Agency can audit and sanction. Infringements are classified as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and very serious (up to 20,000 UTM), with aggravation for recidivism. Moving forward with a documented plan, even if not everything is closed, demonstrates accountability and acts as a mitigating factor.