Data Protection in Peru

Security in Peru

Database holders and data handlers must adopt technical, organizational and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.

Therefore, they must comply with, among others, the following security measures:

  • Document and implement mechanisms for access management, identification and authentication procedures, biannual verification of privileges and use of mechanisms such as passwords, digital certificates and tokens
  • Monitor and periodically review security measures and staff training according to their roles and responsibilities
  • Document and implement the generation of legible and timely records of interactions with data, including for traceability purposes, account information, schedules, actions, among others. Such records should have a procedure for disposal, storage, transfer, destruction, a minimum retention of two years and secure disposal; and should be generated continuously and immediately
  • Document and implement measures to prevent unauthorized access and reproduction of digital documents, and exclusive use of approved institutional systems and tools, and
  • Implement at least: (i) controls to maintain secure areas, (ii) controls to maintain secure equipment inside and outside the facilities, and (iii) controls to ensure the generation of secure and continuous backup copies and their integrity verification. Taking as a reference the recommendations indicated in the “NTP-ISO/IEC 27001:2022 Information Technology. Security Techniques. Information Security Systems. Requirements” in the current edition.

Likewise, with the entry into force of the New Regulation, the holder of the personal database shall implement a Security Document that must have a certain date. The Security Document must be updated and contain, as a minimum, the procedures for access management, privilege management and periodic verification of the privileges assigned to the information systems. This includes technological platforms, mobile applications, database engines, among others, used for the processing of personal data, as well as internal policies for the management and processing of personal data, which must consider the context and life cycle of the data.

Furthermore, NDPA has issued a Security Directive trough the Directorial Resolution NÂş 019-2013-JUS/DGPDP (Security Directive), as an instrument that makes it possible for those actors who process personal data to act in accordance with the applicable law as it provides guidance on the conditions, requirements and technical measures that shall be considered to comply with the applicable regulation. 

Continue reading

  • no results

Previous topic
Back to top