GUIDELINES FOR PERSONAL DATA PROTECTION BY DESIGN AND BY DEFAULT

Escrito por:

On November 13, 2025, the Official Register published Resolution No. SPDP-SPD-2025-0040-R issued by the SPDP, through which the Guidelines for Personal Data Protection by Design and by Default were approved.

The resolution establishes that the principles set out in Chapters 1 and 2 of the Guidelines are mandatory when they apply to the specific context of a personal data processing activity. The remaining content is for guidance purposes and is considered a good practice to strengthen risk management. Below is a summary of the key points.

1. Personal Data Protection by Design and by Default

The LOPDP requires that any project involving personal data processing incorporate security measures from the design phase, assessing potential risks to data subjects’ rights. This means anticipating what data will be used, how it will be protected, and what risks may arise in the future.

Protection by default requires that the initial configuration of any system be oriented toward minimizing data use. By default, only the data strictly necessary for the intended purpose should be processed.

2. Zero Trust Architecture in Personal Data Processing

The Guidelines adopt a Zero Trust Architecture approach, a model used in information security based on the principle of not assuming automatic trust in any process, user, or system. Applied to personal data protection, this approach requires verifying every action related to data processing and avoiding broad or uncontrolled access.

To implement this approach, the Guidelines organize the technical and organizational recommendations into three complementary pillars:

• DevPrivOps: Integrates privacy into system development through principles such as minimizing data use, applying data-hiding techniques, restricting access, informing data subjects, and enabling effective mechanisms for exercising their rights.
• DevSecOps: Incorporates security measures from the earliest stages of software development and data storage systems. This includes automated vulnerability testing, continuous monitoring, and collaboration between technical and legal teams to identify and mitigate risks in personal data processing.

• DevRiskOps: Focuses on risk management by integrating both data protection risks and information security risks, enabling decision-making based on impact and probability.

3. Maturity model

The Guidelines include a non-mandatory reference model that allows organizations to assess their level of maturity in implementing these principles. The model ranges from a chaotic stage to a mature stage, depending on the degree of adoption across processes.

4. Review and updates

The resolution establishes that, within one year of its publication, the Office of Technological Innovation and Personal Data Security must review and evaluate the content of the Guidelines to ensure continuous improvement and subsequently submit the corresponding technical report to the Superintendent of Personal Data Protection.

© TobarZVS

This publication contains information of general interest and does not constitute legal opinion on specific issues. Any analysis will require legal advice from the Firm.