A Multidisciplinary Cell — legal, process and technology — that acts as your data protection team for a fraction of the cost of one employee. Registered with the SPDP under Art. 49 LOPDP.
Ecuador's Personal Data Protection Law (LOPDP) creates obligations that span three simultaneous dimensions. A single profile can't cover all three — a multidisciplinary cell can.
Analysis of lawfulness bases, drafting of DPAs and privacy clauses, ARCO rights management, regulatory monitoring. Specialized in LOPDP and SPDP resolutions.
BPMN data flow diagrams by macroprocess, construction and maintenance of the Activity Treatment Register (RAT), DPIA methodology, identification of compliance gaps.
Audit of encryption, RBAC access control, audit logs and pseudonymization. DPA review with technology providers. Technical support in incident response.
Every client gets the complete Cell — not just a DPO. When a ticket comes in, it's handled by the right specialist from day one.
Independent supervision of LOPDP compliance. Official point of contact with the SPDP and data subjects. Registered under Art. 49 LOPDP.
Analysis of lawfulness bases, drafting and review of DPAs, privacy notices and contractual clauses. Monthly Legal Bulletin with regulatory updates.
BPMN data flow mapping by macroprocess, RAT construction and maintenance, DPIA methodology, translation of regulatory requirements into executable processes.
Evaluation of technical security controls: encryption, RBAC, audit logs, pseudonymization. DPA review with technology vendors. Technical incident support.
Operational coordination: ticket management, SLA monitoring, meeting agendas, deliverable tracking. Primary operational contact with the client's Internal Owner.
Monthly NPS, quarterly formal reviews, early detection of retention risks. Escalation path when any level of the service isn't meeting expectations.
Contract and NDA signing. DPO registration with SPDP. Full infrastructure activation: institutional DPO email, ticket portal, repository, Looker Studio dashboard. 90-minute Kickoff session.
Complete data mapping by macroprocess: what data, what subjects, what lawfulness basis, what controls. Vendor ecosystem audit. Diagnosis Report + Action Plan v1.
RAT construction, DPA drafting with strategic vendors, ARCO channel implementation, privacy notices, policy development, technical control implementation.
Monthly cycle: DPO Monthly Report, Legal Bulletin, weekly meetings, ticket management with SLAs, rotating audits. The SGPDP stays alive and current.
All tiers include the complete six-role Cell. The difference is the monthly hours volume and the implementation scope.
Organizations that process data at large scale, habitually and systematically, or that process special category data must designate and register a DPO with the SPDP. Most medium and large Ecuadorian companies are required to comply.
Health, biometric, financial, ethnic origin, sexual orientation and other sensitive data are subject to reinforced obligations: explicit consent, DPIA, and more restrictive lawfulness bases.
Data transfers outside Ecuador require adequate guarantees. Cloud providers, SaaS platforms and international partners must be analyzed and, when applicable, formalized under the RIPD Model Contractual Clauses.
Any security incident involving personal data must be notified to the SPDP within 72 hours of detection. DataGuard has a defined protocol to meet this deadline without operational disruption.
An outsourced DPO is a specialized external team that performs the functions of the Data Protection Delegate required by Art. 49 LOPDP. The Ecuadorian law expressly allows this model. Wiibiq offers a Multidisciplinary Cell combining legal, process and technology profiles — coverage no individual DPO can match alone.
Art. 49 LOPDP requires it for controllers and processors that carry out large-scale processing, habitual and systematic processing of data subjects, or processing of special categories of data (Art. 25 LOPDP). In practice, this includes most medium and large companies operating in Ecuador.
The service activates within a maximum of 7 business days from contract signing. In that week the DPO is registered with the SPDP, all infrastructure is activated (institutional DPO email, ticket portal, repository, dashboard) and the 90-minute Kickoff is held with the client's team.
The RAT (Activity Treatment Register) is the formal inventory of all personal data processing operations in an organization. It is mandatory under the LOPDP and is the first document the SPDP requests in any inspection. Without an updated RAT, an organization cannot demonstrate compliance.
A lawyer covers the legal dimension, but effective LOPDP compliance also requires BPMN process mapping, technical security control evaluation, operational ARCO channel management, and continuous independent supervision. DataGuard delivers a Cell of six specialized roles operating in a coordinated manner — DPO, compliance lawyer, process specialist, IT specialist, account executive and client success leader.
We analyze your organization's current LOPDP compliance status in two weeks. You receive a concrete action plan — regardless of whether you continue with DataGuard.
Request free diagnosis →