Why companies should not wait for approval to prepare for it

For more than a decade, personal data protection in the Dominican Republic has lived under Law No. 172-13. It was a pioneering law for its time, but it was born with credit bureaus in mind. Currently, the National Congress is discussing an amendment to this law, which, if passed, would radically change the rules of the game by making data protection a cross-cutting obligation that reaches virtually any company that handles personal information.

In essence, if your organisation has customers, employees, suppliers or users - that is, if you handle and process personal data - this reform concerns you. Here are the most important changes and what you should start doing now.

Law 172-13 devoted a large part of its articles to regulating Credit Information Companies. The bill, on the other hand, is conceived as a general law, as it applies to all processing of personal data, in any sector -public or private-, regardless of the medium or technology used. In this sense, data protection ceases to be a regulated matter with special emphasis on credit bureaus and becomes a core compliance issue for any company, from a retailer to a clinic, a hotel or a cybersecurity company.

Perhaps the most visible proposed change is the creation of the National Data Protection Authority, an autonomous and specialised body with regulatory, supervisory, investigative and sanctioning powers over all sectors. Until now, control was essentially exercised over the credit sector through the Superintendency of Banks. With the new authority, any company can be subject to inspection, requests for information and real sanctions. Compliance will no longer be theoretical, but will now be monitored.

The project significantly expands the rights of individuals over their data. In addition to the classic rights of access, rectification and erasure, there is now portability (the right to take data in a reusable format to another provider), objection (including objection to marketing) and the right not to be subject to purely automated decisions that significantly affect the individual. The latter has a major impact on those who use credit scoring, personnel selection models or artificial intelligence: they must foresee human intervention and be able to explain the logic of their decisions. And every right exercised carries a response time, so the company will need an agile procedure to deal with them.

The draft introduces a proactive approach: it is no longer enough to process data lawfully; you must be able to prove it. New obligations include the possible appointment of a Data Protection Officer (DPO) depending on the type and volume of processing; the carrying out of impact assessments when a project involves a high risk; privacy by design and by default; and - especially sensitive - the notification of security breaches to the authority within a short period of time, within 72 hours. Whoever suffers an incident and does not know how to react in time will add a breach to the reputational damage.

Another important new feature is the extraterritorial scope. The law may be applied to companies that, even if they are not established in the country, process data of persons in Dominican territory, for example, when offering them products or services online. In addition, the use of cloud providers or services abroad will be subject to a more structured and stringent international transfer regime.

The sanctions regime is modernised with a graduation of minor, serious and very serious offences, and the amounts are substantially increased: very serious offences will be subject to fines of up to DOP50,000,000 (US$820,000). For the management of any company, this moves data protection from the realm of "should be" to the realm of financial and reputational risk management.

What should be done now?

The draft provides for a transition period, but the worst strategy is to wait until the law is finally passed and then wait for it to come into full force and effect before starting. Anticipating this reduces the cost of compliance and exposure to risk.

This project should not be seen as a threat. On the contrary, if well managed, it is an opportunity to put one's house in order, build trust and differentiate oneself. Companies that arrive prepared for the new framework will convey something increasingly valuable to their customers: that their data is in safe hands.