Almost 8 years years ago, the Mexican Federal Law on the Protection of Personal Data held by Private Parties (the Federal Law on Data Protection) was enacted. Almost 8 years ago, things started to change in Mexico.
At that time, when companies faced the question "Do you comply?" it was not unusual to hear this kind of answers:
This is a fad! Who REALLY cares about personal data? My company doesn't need to comply with THAT law, I only process client's information. My IT department is in charge. My American/European parent company is in charge of THAT stuff. Nowadays, things are different and data protection is here to stay in Mexico.
It doesn't matter if your company is 100% Mexican or if it is a subsidiary of a foreign company, chances are that you must have to comply and that you really need to review your compliance level (certain companies only comply with one of eight Data Protection Principles).
How unique is the Mexican Data Protection Law?
In a broad sense, the Federal Law on Data Protection is unique in its own way, but it is impossible not to find European, American and APEC-region influences on it. Simply, Mexico was behind a global trend and its new Federal Law was feed with the experience of several countries.
Many times, I have said that the Mexican Data Protection Law has an 80% European DNA, mostly because of the Data Protection Principles that were introduced into the Mexican legal system (and the "ARCO rights") by reference to the then-in-force Data Protection Directive and the then-forthcoming GDPR.
Because of that, it is easier for European organizations to understand the Mexican data protection requirements; but any DPO with knowledge about the requirements of the European GDPR will find that some Mexican principles are quite similar to those that soon will be enforceable in the EU.