ESEN
Audit my site
← All notes
LOPDP · Cybersecurity · Compliance

LOPDP compliance for SMBs: where to start (without spending a fortune)

Ecuador's LOPDP applies since 2023 to almost any company that processes personal data. How to start compliance with quick wins, without hiring a full-time legal team.

Ecuador’s Personal Data Protection Law (LOPDP) applies since 2023 to any natural or legal person processing personal data in Ecuadorian territory. In practice that’s almost any business — from the SMB with an Excel customer list to the exporter with a CRM and international leads.

Three questions we get every week:

“Does it actually apply to me?”

Yes, if you do any of these:

  • Keep a database of clients, leads or employees.
  • Receive data through a web form, WhatsApp, email or the WhatsApp Business API.
  • Process invoices containing ID numbers (RUC, cédula).
  • Run security cameras that capture the public.

What changed with LOPDP isn’t that you now need to ask permission — you always did. It’s that there are now measurable penalties (up to 1% of the previous year’s revenue) and a body (Superintendencia de Protección de Datos Personales) that has started to enforce them.

”Do I need a Data Protection Officer (DPO)?”

It depends. The LOPDP requires a designated DPO in three cases:

  1. When core activity requires large-scale regular monitoring.
  2. When sensitive data is processed at scale (health, biometric, financial).
  3. When the authority designates it by sector.

A typical SMB (under 50 employees, mid-size customer base) may not need an in-house DPO — but it does need a designated person and documented processes. For companies in that range we recommend a shared external DPO: fulfills the role at a fraction of the cost of an in-house one.

”Where do I start?”

Quick wins achievable in four weeks, without hiring full-time legal:

1. Personal-data inventory. List what data you store, where, who has access, and for what purpose. Tedious, but until you have it clear, you can’t declare legal bases or respond to a data-subject request.

2. Mandatory MFA on email and critical tools. The most common personal-data leak in Ecuador is still the compromised email account. MFA eliminates that vector almost entirely.

3. Privacy policy accessible from your site. Document what you collect, why, who you share it with, how long you retain it, and how rights are exercised. Not optional — it’s the first document the Superintendencia looks at.

4. Documented procedure for data-subject requests. When a customer asks to see, correct or delete their data, you must respond within defined deadlines. Without the procedure, you’ll improvise badly.

5. Processing clauses with your providers. Your accountant, your agency, your SaaS CRM — all are “processors” under LOPDP. They need a contractual clause defining the safeguards.

What NOT to do

Don’t start with an exhaustive external audit. It’s tempting to hire the consultant that sells a 200-page PDF with all findings. What happens with those PDFs is they go in a drawer and nothing changes.

Start with quick wins, document what you already have, and treat LOPDP as a continuous process — not a project with a close date.

If you want a hand

We run an LOPDP diagnostic in four weeks with remediation included — and serve as external DPO for SMBs and exporters that don’t justify one in-house. Let’s talk.

Sound familiar? Start with a free diagnostic of your site or IT operation — 30 minutes, no commitment.

Audit my site