Insights

Data Privacy and Governance: The New Era | SUMāTO

Written by Andrés Lozada | Jul 9, 2026 6:51:11 PM

The first time a client asked me, "Do you know exactly what data of mine you keep, where and why?", I realized I didn't have a clean answer. And if I, who run a technology firm, hesitated, I can imagine the discomfort of any executive who opens their inbox today and finds yet another privacy alert. This month a new European data protection regulation takes effect, and it's already reshaping expectations around the world, including our region. I'm not writing to talk about distant regulation, but about something closer: how to turn privacy into a real capability within your organization.

In short: Privacy has stopped being a last-minute legal matter and become a discipline of data management. Organizations that adopt clear principles (minimization, consent, the right to be forgotten and security by design) don't just reduce risk: they build trust. And well-governed data turns into an asset, not a liability.

Why has privacy become a priority now?

For years, many of us treated personal data as a byproduct: it accumulated because storing it was cheap and because "someday it would come in handy." That model has run its course. Customers are more aware of what they hand over, regulators have raised the bar, and security incidents have gone from technical footnotes to headlines that hit reputation.

The fundamental shift is conceptual: personal data no longer belongs to whoever stores it, but to whoever originates it. The person. That forces companies to justify every piece of data they collect and to answer for its care throughout its entire lifecycle. It isn't a bureaucratic burden; it's the new basis of a relationship of trust with the customer.

The practical principles every organization should adopt

Beyond the text of any regulation, there are universal principles any company can apply regardless of its size or sector. I sum them up this way:

  • Minimization: collect only the data you need for a specific purpose. If you don't know what a field is for, you probably shouldn't be asking for it. Less data means less risk and lower custody costs.
  • Clear consent: the person must understand what they're providing, for what and for how long. Consent buried in fine print isn't consent; it's a trap that sooner or later turns against you.
  • Right to be forgotten: your customer must be able to request that their data be corrected or deleted. This requires knowing where each piece of data lives, something many companies discover they can't do.
  • Security by design: protection isn't added at the end; it's considered from the moment the process or system is designed. Encryption, access control and activity logging as part of the blueprint, not as a patch.
  • Purpose and proportionality: use data for what you declared, not for purposes the person never authorized.

What does "data governance" really mean?

Data governance is the set of rules, roles and processes that define who can do what with the company's information. It isn't software you buy; it's a way of operating. When I talk about governance with a leadership committee, I usually boil it down to four uncomfortable but useful questions:

  • What data do we have? An honest inventory usually reveals duplicates, forgotten databases and spreadsheets living on personal computers.
  • Who is responsible? Every data set needs an owner with a first and last name, not a vague department.
  • At what quality? Imprecise or outdated data contaminates decisions and models; governing it also means caring for it.
  • Under what controls? Access, retention, anonymization and traceability must be documented and auditable.

Data governance and security are two sides of the same coin. If you're interested in going deeper into how to technically protect that information, take a look at our work in cybersecurity, where we treat security by design as an everyday practice.

How do you start building governance without slowing the business?

The most common fear I hear is that privacy will stifle innovation. It's the opposite. Good governance accelerates, because it removes the uncertainty about what can and can't be done with data. I suggest a pragmatic path:

  • Map first: before buying technology, draw the real flow of your data, from the moment it enters to the moment it's deleted.
  • Define simple policies: an average person on your team should be able to explain them in a single sentence. If you need a lawyer to understand them, they won't be followed.
  • Assign owners: name data owners and, depending on your size, a figure to coordinate privacy across the organization.
  • Train your people: most incidents stem from human error, not a sophisticated attack. Culture is the most cost-effective control.
  • Iterate: start with the most sensitive data and advance in waves. Perfect governance that never gets going protects no one.

Well-governed data as an asset, not a liability

Here's the shift in mindset I most want to convey. When a company knows exactly what data it has, at what quality and under what permissions, that knowledge becomes an engine. Analytics stops being a fragile exercise on shaky foundations and starts generating reliable decisions. Personalization becomes respectful because it's based on real consent. Efficiency improves because you're no longer paying to store and move information no one uses.

Put plainly: privacy and profitability aren't on opposite sides. Poorly governed data is a silent liability that accumulates legal, reputational and operational risk. Well-governed data is an asset that sustains customer trust and the quality of every analysis your company produces.

Frequently asked questions

Does this new privacy regulation apply if my company is in LATAM?
It can apply if you offer goods or services to people in Europe or process their data, regardless of where your headquarters are. But beyond the jurisdiction, its logic has become a reference standard worth adopting out of conviction and not just obligation.

Do I need a large technology investment to govern my data?
Not to get started. The first stretch is organizational: inventory, assign owners and define clear policies. Technology comes later, to scale and automate what you already have in order.

Are privacy and security the same thing?
They're related, but not identical. Security protects data against unauthorized access; privacy defines what data it's legitimate to collect and how to use it. You need both, and they work better together.

Where should I start if I don't know where we stand?
With an honest diagnostic of the current state. Knowing what data you have and where it is usually the step that clears the path the most.

The first step

You don't have to solve it all this month. You have to start with clarity. At SUMāTO we work alongside organizations to run a data governance and privacy diagnostic: where your information is, what risks it carries and what asset it could become if you put it in order. If you'd like to take that first step with a concrete conversation about your reality, get in touch and we'll help you chart the path.