Cybersecurity 2025

MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel

rity practices that data controllers should adopt. This lack of specificity creates challenges in ensuring comprehensive compliance and uni - formity in practices across different sectors and organisations. Data Breach Notification Requirements In the event of a data breach, public entities that handle personal data have an obligation to notify affected individuals (data subjects) about the incident. They are also required to inform the INAI, which plays a central role in monitoring compliance with the Mexican DPRs and enforc - ing regulations. This is a crucial step in ensuring transparency and accountability in cases of data breaches. Private data controllers, on the other hand, have a more limited obligation. They are only required to notify those data subjects directly affected by the breach, rather than making a broader public notification. When notifying affected individuals, the data controller must provide detailed information, including: • a description of the nature of the incident; • the personal data that was compromised; • recommendations for the data subjects to protect their interests following the breach; • an overview of the immediate corrective measures taken upon detecting the breach; and • information on how individuals can seek fur - ther details about the incident. Despite these requirements, the Mexican DPRs do not offer a detailed, standardised procedure for data breach notification. The absence of clear guidance on the format, timing, and chan - nels for notification can lead to inconsistencies

in how organisations manage and communicate data breaches. INAI’s Role and Best Practices in Data Breach Management In light of the gaps in the legal framework, the INAI proactively issued recommendations and guidelines to assist organisations in preparing for potential data breaches. These guidelines provide recommendations on how to assess the severity of data incidents, implement appropri - ate response measures, and manage incidents according to best practices in incident manage - ment and data protection. The INAI’s involvement was critical in guiding organisations through the complex process of breach management and ensuring compliance with Mexico’s data privacy laws. Although the INAI’s recommendations were not legally bind - ing, they helped to establish a more standard - ised approach to data breach management across sectors. Differences Between Public and Private Sector Obligations The Mexican DPRs distinguish between the obligations of public and private sector enti - ties in processing personal data. Public entities face more extensive obligations, including the requirement to report breaches both to affected individuals and the INAI. In contrast, private sec - tor entities have less stringent requirements and are only compelled to notify individuals directly affected by a breach. This differentiation creates a potential imbalance in the level of protection afforded to individuals, depending on whether their data is handled by public or private entities. Moreover, local legislation may provide addi - tional provisions related to cybersecurity, further complicating the regulatory landscape. Although

194 CHAMBERS.COM

Powered by