The Superintendence of Industry and Commerce (hereafter, SIC), in its role as the national authority for data protection, conducted a study on the security measures that companies and public entities have implemented to collect, store, use, or process personal data. 31,410 are private companies (95.8%) and 1,353 public entities (4.1%).
According to the Colombian data protection law, all companies and public entities are required to implement technical, human and administrative procedures that are necessary to protect the personal data. Likewise, they must keep the information under the necessary security conditions to prevent their unauthorized use or fraudulent access.
Some conclusions and outcomes of the study are:
34.3% of companies and public entities had complied with the safety requirements that were studied by the SIC. This means that 65.7% have not implemented appropriate and effective measures to guarantee the security of personal data and only 2.7% indicated that they had adopted all the security requirements of the SIC.
79% of companies and public entities have not implemented a specific policy that regulates access to personal information in databases with sensitive information.
71% of organizations did not have security controls in the outsourcing of services for the treatment of personal data.
Within the results of the study, it was found that 148 companies had done nothing about the data security requirements. Therefore, the SIC issued orders to all these companies to implement security measures to ensure the security of personal data.
Finally the SIC identified that the government of Santander has not registered all of its databases and gave it 5 business days to do so. The decision is made by the resolution 71929 of December 10, 2019.