The Superintendence intensifies compliance control of the Personal Data Protection Law (2026)

I share a key legal alert about the Organic Law on Personal Data Protection (LOPDP) and its oversight by the Superintendence of Personal Data Protection, in force in 2026.

1. What does the law require of companies today?

In summary, the LOPDP requires:
- Implement a personal data protection management system (map, organize, and document how data is collected, stored, used, and deleted).
- Designate a Data Protection Officer (DPO), responsible for overseeing compliance and serving as liaison with the authority.

This applies to data of:
- Employees
- Suppliers and partners
- Potential clients (leads)
- Current and former clients

2. Risk for the company (2026)

The Superintendence of Personal Data Protection, fully operational since 2025, has intensified its sanctioning powers in 2026. It may impose fines of up to 1% of annual net revenue (not profit, but total billed).

Therefore, data protection is no longer just a "legal" issue, but one of corporate and reputational risk management.

3. Recommended next steps (2026)

We recommend that boards and management:
- Verify whether the company already has a formal data protection system.
- Confirm whether a DPO has been appointed and whether their duties are clear.
- Review internal information handling processes (collection, use, storage, deletion, and transfer to third parties).
- Update consents and privacy policies according to the latest criteria of the Superintendence.

I am available to assess your organization's compliance level and design an adaptation plan according to the regulations in force in 2026.

Remember: The LOPDP (Organic Law on Personal Data Protection) is applicable in Ecuadorian territory since its full effectiveness, and the Superintendence already has resolutions and operational guides that must be observed by all companies that process personal data.