Law 21,719: what your SME must do before December 2026

The deadline: December 1, 2026

Law 21.719 on personal data protection was published in December 2024. It replaces the former Law 19.628 (from 1999) and aligns Chile with international standards such as Europe’s GDPR. Its full enforcement date is December 1, 2026.

If you run a SME in Chile and collect customer data — names, emails, tax IDs, addresses, purchase history — this law affects you directly. It doesn’t matter if you’re an online store, a law firm, a dental clinic, or a software company.

What changes with Law 21.719?

The previous law (19.628) had been in place for 27 years, but it practically had no teeth: no enforcement authority, no significant fines, no real obligations for companies. The new law changes this radically:

1. Data Protection Agency. An autonomous authority is created to oversee, sanction, and resolve complaints. Previously, no such body existed.

2. Explicit consent.A generic “by using this site you accept our terms” is no longer sufficient. Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as it was to grant.

3. Expanded ARCO rights. Individuals have the right to Access, Rectify, Cancel, and Object to the processing of their data. Additionally, the new law adds the right to data portability (export your data to another provider) and to object to automated decisions.

4. Real fines. Penalties range from 1 to 5,000 UTM for minor infractions (~$65,000 USD to $305,000 USD), up to 10,000 UTM for serious ones (~$610,000 USD), and 20,000 UTM for the most severe (~$1.2 million USD). For a SME, even a minor fine can be devastating.

The good news: a grace period for SMEs

The law establishes a transitional regime for small and medium-sized enterprises: during the first year of enforcement (December 2026 to December 2027), SMEs will only receive written warningsinstead of fines. This doesn’t mean you can ignore the law — it means you have one year to correct course without facing financial penalties.

But be careful: companies that don’t qualify as SMEs (due to data volume or revenue) don’t get this benefit. And after December 2027, fines apply without distinction.

The 7 steps your SME must take before December 2026

Based on our experience implementing data compliance in Chilean companies, this is the action plan we recommend:

Step 1: Data inventory. Make a list of all the personal data you collect, where you store it, who has access, and what you use it for. Include external providers (hosting, email marketing, CRM, analytics). This inventory is the foundation for everything else.

Step 2: Legal basis for each processing activity.For each type of data, identify your legal basis: data subject’s consent, contract performance, legal obligation, or legitimate interest. If you don’t have a clear legal basis, you cannot process that data.

Step 3: Updated privacy policy.Your current policy probably says “we protect your data” without explaining how. The new law requires you to disclose: what data you collect, for what purpose, with whom you share it, how long you retain it, and how to exercise ARCO rights.

Step 4: Consent mechanism. Implement a system to obtain, record, and manage consents. It must be granular (the user chooses what to accept), revocable (one click to withdraw), and demonstrable (you can prove when and how consent was given).

Step 5: Right to deletion.Implement a mechanism for any person to request the erasure of their data. It must be technically feasible (simply “marking as inactive” is not enough) and completed within a reasonable timeframe.

Step 6: Data security.Ensure your systems have encryption in transit (HTTPS) and at rest, role-based access control, regular backups, and an incident response plan. The law requires “appropriate” measures — meaning proportional to the risk.

Step 7: International transfers.If you use services like AWS, Google Cloud, Mailchimp, or HubSpot, you’re transferring data outside of Chile. The law allows this under certain conditions (countries with adequate protection, contractual clauses, explicit consent). Document each transfer and its legal basis.

Do you need a DPO?

The law requires designating a Data Protection Officer (DPO) in certain cases: public agencies, companies that process sensitive data on a large scale, or companies whose core business is mass data processing.

Most SMEs won’t need a formal DPO, but they do need someone internally responsible for ensuring these obligations are met. This could be the general manager, the IT lead, or an external advisor.

Free tools to get started

You don’t need to hire a $10 million consultancy to get started. These tools help you take the first steps:

• Free assessment: We built a tool at cumplimiento21719.cl that evaluates your current situation in 15 questions and generates a report with specific recommendations for your company.
• Data inventory template: A simple spreadsheet with columns for data type, legal basis, location, access, and retention is enough to get started.
• Privacy policy generator: Online generators exist, but review them carefully — most are based on Europe’s GDPR and don’t account for the specifics of Chilean law.

Conclusion: 8 months to prepare

Law 21.719 is not optional and the fines are real. But the grace period for SMEs gives you a reasonable window to prepare without panic.

The worst thing you can do is ignore it until December. The best: start today with the data inventory and the privacy policy. These are the steps that take the most time and have the greatest impact.

If you need help with the technical implementation — consent mechanisms, data deletion, transfer auditing — that’s exactly what we do.