New data protection laws in Mexico: What’s changed in personal data security

Mexico has recently introduced a new regulatory framework for data protection, as part of broader reforms affecting legislation on transparency, access to information, and the protection of personal data.

This article focuses on the security aspects of data protection. One of the main changes is the dissolution of the existing supervisory authorities, with their responsibilities being transferred to the Secretariat for Anti-Corruption and Good Governance.

On March 20, the Mexican Congress approved two key laws:

• Federal Law on Protection of Personal Data Held by Individuals
• General Law for the Protection of Personal Data in the Possession of Obliged Subjects

These laws had previously been reviewed and approved by the relevant committees in both the Senate and the Chamber of Deputies.

We have analyzed the documents and identified minor modifications in the definitions of database, personal data, sensitive personal data, and processing. A new definition for regulated subject has also been added.

For the private sector

The obligations regarding personal data security remain largely unchanged. Below is a summary of the key articles:

• Article 18 (formerly 19): Requires the definition, implementation, and maintenance of administrative, physical, and technical security measures.
• Article 19 (formerly 20): Establishes the obligation to notify the data subject in the event of a data breach.
• Article 20 (formerly 21): Requires measures to ensure the confidentiality of personal data.
• Article 29 (formerly 30): Mandates the appointment of a person or department responsible for handling data subjects’ requests.
• Article 37 (formerly 44): Refers to self-regulation schemes that data controllers may adopt. This article is significant, as it allows the continuation of certification schemes through the implementation of a Data Protection Management System.

It is important to monitor future updates to secondary regulations, such as the Regulation of the Federal Law on the Protection of Personal Data Held by Individuals (e.g., Article 61), which provides greater detail on specific security obligations, including those related to cloud computing and data breaches.

For the public sector

Similarly, security obligations for public institutions remain aligned with existing practices:

• Article 25 (formerly 31): Requires the implementation of administrative, physical, and technical safeguards.
• Article 26 (formerly 32): Outlines the criteria for selecting appropriate security measures.
• Article 27 (formerly 33): Specifies the security controls to be implemented and maintained—similar to Article 61 of the Regulation for the private sector.
• Article 28 (formerly 34): Mandates the implementation of a documented management system.
• Article 29 (formerly 35): Lists the required elements of the security document.
• Article 30 (formerly 36): Provides guidance on when and how to update the security document.
• Articles 31–35 (formerly 37–41): Define the obligations in the event of a data breach, including notification to data subjects and authorities, and maintaining a breach registry.
• Article 36 (formerly 42): Addresses confidentiality obligations.
• Article 53 (formerly 59): Details the elements that must be included in contracts or legal instruments with data processors.
• Article 68 (formerly 74): Reaffirms the obligation to carry out a Data Protection Impact Assessment (DPIA) when implementing or modifying public policies, systems, or platforms that involve the intensive or significant use of personal data. The new authority must define the specific requirements for these assessments.

Conclusion

While the core obligations concerning personal data security remain unchanged, it is essential to await the issuance of secondary regulations, such as guidelines and technical standards, that will provide clarity on how data controllers can ensure full compliance with the law.