The essentials in 30 seconds
- In 2024 Chile faced 27.6 billion attempted cyberattacks: data breaches are a real and growing threat.
- Law 21.719 requires notifying breaches to the Personal Data Protection Agency without undue delay and, when there is risk, the affected individuals too.
- Fines escalate by severity: up to 5,000 / 10,000 / 20,000 UTM (minor / serious / most serious), tripling on recidivism.
- Three anonymized cases—banking, retail and healthcare—show how prevention avoided leaks and sanctions.
- The recipe: data mapping, impact assessments, encryption, training and a tested response plan.
In an increasingly digitalized world, data breaches represent a constant threat to companies. In Chile, during 2024, the country faced an alarming total of 27.6 billion attempted cyberattacks, marking a significant increase over previous years and underscoring the urgency of strengthening protective measures. According to reports, 60% of Chilean companies have suffered leaks of confidential information following cybersecurity breaches over the past two years, which not only generates financial losses but also irreparable reputational damage. Law 21.719, published on December 13, 2024 and mandatory from December 1, 2026, emerges as a key regulatory framework to mitigate these risks. This regulation, inspired by the European GDPR, requires organizations to implement robust personal data management practices, including mandatory breach notifications and impact assessments. For the full picture of the law, see our definitive guide to Law 21.719.
In this article, we explore real-world stories (anonymized to protect confidentiality) of Chilean companies that, by adopting compliance with Law 21.719, managed to avoid catastrophic data breaches. These narratives, based on documented trends in sectors such as banking, retail, and healthcare, illustrate how prevention is not only a legal obligation but a competitive advantage. If your company handles sensitive data, these lessons could be the shield you need.
Why does Law 21.719 compliance matter?
Before diving into the stories, let's understand the context. Law 21.719 regulates the processing of personal data, defining it as any information relating to an identified or identifiable person. Among its key pillars are the data subject rights (Access, Rectification, Cancellation, and Objection), which allow individuals to control their data, and the obligation to notify security breaches that significantly affect data subjects' rights.
The penalties for non-compliance are severe and escalate with the severity of the violation. The law classifies infringements as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM). In case of recidivism the fine can be tripled—reaching up to 60,000 UTM for a repeat most-serious violation—or, only for companies that are not small businesses under Law 20.416, a percentage of annual revenue from sales and services in Chile (2% for serious recidivism and 4% for most-serious). In 2024, Chile recorded billions of leaked records in global breaches, and locally, incidents such as leaks in corporate systems affected millions of users. We analyze the full regime in Fines and sanctions under Law 21.719. To avoid exposure, the law requires measures such as:
- Data mapping: Identify where and how personal data is stored.
- Impact assessments (DPIA): Analyze risks in high-risk processing activities.
- Team training: Educate employees on secure data handling.
- Technology tools: Implement platforms such as OneTrust for consent management and audits.
- Timely notification: Inform the Personal Data Protection Agency (APDP) without undue delay and by the most expedient means, and notify affected parties where applicable.
Adopting these practices not only prevents fines but also strengthens customer trust and reduces vulnerabilities to attacks such as phishing or ransomware, which accounted for a significant portion of the 27.6 billion attempts in 2024.
Notification deadline: Law 21.719 requires reporting the breach to the Agency as soon as possible after becoming aware of it, without undue delay, and informing the affected individuals when there is a risk to their rights. Having the protocol defined before the incident is what makes the difference. Platforms like the ones we cover in implementing OneTrust in Chile help document and coordinate that notification within the deadlines.
Real-world story 1: A Chilean bank avoids a massive leak amid phishing attacks
The challenge faced
Imagine a mid-sized banking institution in Santiago, with thousands of customers and a vast personal data repository. In the first quarter of 2024, the government's CSIRT handled 54 cybersecurity incidents nationwide, many of them related to phishing targeting financial institutions. This company, which we will call "Banco Seguro," detected a similar intrusion attempt: a fake email seeking to access employee credentials.
The steps toward compliance
Before Law 21.719, its approach was reactive. But anticipating its entry into force, the company implemented a comprehensive compliance plan. First, it carried out a thorough data mapping exercise, identifying sensitive flows such as account information and biometric data. Then, it trained its team in threat recognition and data subject rights, ensuring that consents for data processing were explicit and revocable.
The result and lessons
Using tools such as encryption systems and continuous monitoring, it detected the attack in real time and neutralized it without any data exposure. The result: it avoided a potential fine of up to 10,000 UTM for a serious infringement and reduced its incident response times by 60%. Key lesson: investing in regular audits and proactive notifications transforms cybersecurity from a cost into a competitive strength.
Real-world story 2: An online retail chain blocks a ransomware attack
The challenge faced
In the retail sector, where e-commerce handles card data and purchasing preferences, breaches are common. In 2024, Chile saw a spike in attempted cyberattacks during July and August, with ransomware as a primary threat. "Retail Resiliente," a chain with digital operations across the country, faced an attempt of this kind that threatened to encrypt its database of 500,000 customers.
The steps toward compliance
Adopting Law 21.719, the company carried out an impact assessment of its data processes, identifying vulnerabilities in external vendors. It implemented least-access policies (the necessity principle) and a system to manage consents, ensuring that only essential data was processed. In addition, it integrated secure backup tools and mandatory training, which made it possible to detect and isolate the ransomware before it caused any damage.
The result and lessons
The outcome was impressive: not only did it avoid the leak of sensitive data, but it also proactively notified the APDP, demonstrating transparency and avoiding sanctions. This strengthened customer loyalty, with an increase in post-incident sales thanks to the perception of security. Lesson: monitoring data flows and training the team prevents leaks, in line with the obligation to protect children's data and sensitive data under the law.
Real-world story 3: A private clinic avoids exposure of sensitive data
The challenge faced
The healthcare sector is particularly vulnerable, with medical data classified as sensitive under Law 21.719. In 2024, global breaches exposed billions of records, and in Latin America, incidents affected millions of patients. "Clínica Protegida," a healthcare network in Chile's regions, detected an unauthorized access attempt on its medical records system.
The steps toward compliance
To comply with the law, it carried out an initial assessment and adopted an action plan that included encryption of data at rest and in transit, along with mechanisms to exercise data subject rights digitally. It trained its staff in leak prevention and established immediate-notification protocols.
The result and lessons
Thanks to this, it blocked the attempt without any exposure, avoiding fines that—given the negligent handling of sensitive data—could have been classified as most serious (up to 20,000 UTM, and up to 60,000 UTM if recidivism were proven). The added benefit: greater patient trust, reducing legal claims. Lesson: in regulated industries, impact assessments are essential to identify and mitigate risks early.
Conclusion: lessons learned and steps for your company
These real-world stories demonstrate that compliance with Law 21.719 is not a burden but an opportunity to shield your business against breaches that, in 2024, cost billions in global damages. Companies like Banco Seguro, Retail Resiliente, and Clínica Protegida reduced risks by up to 60% by investing in mapping, training, and tools.
To get started:
- Conduct an assessment of your data management.
- Train your team and update your consent policies.
- Implement monitoring and notification tools.
- Monitor continuously to adapt to emerging threats.
Could your company withstand an attack tomorrow?
A 30-minute assessment to evaluate your data management and level of exposure.
Schedule an assessmentFrequently asked questions about data breaches
What should I do after a data breach?
Activate your incident response plan immediately: contain the incident to stop the leak, assess what data and how many data subjects are affected, document what happened, notify the Personal Data Protection Agency and, where appropriate, the affected individuals, and apply corrective measures. Preserving evidence and records is key to demonstrating diligence.
How quickly must a breach be notified?
Law 21.719 requires notifying the Personal Data Protection Agency as soon as possible after becoming aware of the breach, without undue delay. Having a defined notification protocol in advance lets you meet the deadline and reduce the impact of the incident.
What fine do I risk for a data breach?
It depends on the severity. Violations are classified as minor (up to 5,000 UTM), serious (up to 10,000 UTM) and most serious (up to 20,000 UTM). In case of recidivism the fine can be tripled—up to 60,000 UTM for a repeat most-serious violation—or a percentage of annual revenue from sales and services in Chile (2% for serious recidivism and 4% for most-serious) for companies that are not small businesses. More detail in Fines and sanctions under Law 21.719.
How are data leaks prevented?
With a proactive approach: data mapping, impact assessments for high-risk processing, encryption at rest and in transit, least-privilege access control, team training against phishing and social engineering, third-party risk management and a tested incident response plan.
Does Law 21.719 require notifying the affected individuals?
Yes. In addition to notifying the Personal Data Protection Agency, when a breach poses a risk to data subjects' rights the law requires communicating the incident to the affected individuals as well, so they can take protective measures.
Is it worth using technology to manage breaches?
Yes. Platforms such as OneTrust let you document incidents, assess their severity, coordinate notification within legal deadlines and maintain the traceability that demonstrates proactive accountability before the Agency, reducing both operational impact and the risk of sanctions.