The data of millions of citizens passes through your institution. The legal responsibility rests with you.
The LOPDP does not penalize abstract concepts: it penalizes people. If your institution loses control of its information, the fine arrives with a name attached, is paid out of the responsible official’s own pocket, and comes with an administrative proceeding and liabilities before the Comptroller General.
Meanwhile, every day, thousands of public servants and external providers access, copy and send citizens’ data. By institutional email. By USB. Through shared folders. Without anyone recording it in time.
If the Data Protection Authority asked you today to demonstrate who accessed, copied or sent personal data from your institution in the last 30 days, could you answer?
The Authority is already issuing sanctions.
And the sanction is personal.
Since January 2026, the Personal Data Protection Authority has issued its first sanctioning resolutions. We are no longer talking about a law on paper: we are talking about case files, rulings and fines already served.
The fine falls on the official, not the institutional budget
The State does not pay it for you. The sanction arrives with a name attached and is collected from the responsible person’s own pocket.
On top of the fine comes the administrative proceeding
Plus the liabilities determined by the Comptroller General of the State for the management of the public information in your charge.
Serious violations: a fine of 10 to 20 unified basic salaries
With the 2026 SBU of USD 482, that means between USD 4,820 and USD 9,640 per sanctioned event.
An official calculation methodology already exists
The Authority applies a specific model for the public sector (Resolution SPDP-SPD-2025-0022-R). The calculation is no longer discretionary.
The question is no longer whether your institution will be assessed. It is whether you will have evidence when that happens.
Information leaves through more channels
than are controlled today.
ID numbers, records, tax filings, biometric data, medical files. In a public entity, sensitive information circulates every day through thousands of hands: permanent staff, temporary contractors, technology providers, external consultants. A single misplaced file can turn into a sanction, a media scandal and a proceeding with your name on it.
Institutional email and webmail
Attachments sent to external domains with no record.
USB devices
Mass copies of databases in seconds.
Cloud and web uploads
Files uploaded to unauthorized personal repositories.
Printing
Documents with citizens’ data leaving on paper, with no traceability.
Clipboard
Copy and paste into chats and external applications.
Screenshots
Screen grabs and photos of institutional systems.
Today, in most institutions, none of these channels leaves evidence. That absence of evidence is exactly what the Authority interprets as a lack of security measures.
GTB DLP: a platform that knows where the data is, who touches it and where it tries to leave.
Avanti implements and operates GTB DLP, the data security platform from GTB Technologies, which protects information across its three states.
Locate and remediate
Scans servers, computers, email and cloud to locate forgotten or exposed sensitive information and remediate it: move, encrypt or securely delete.
Block before it leaves
Inspects network traffic and outbound email. Blocks, quarantines or encrypts in real time, before the data leaves the institution.
Control every action
Controls what each user can do with information: copy, print, send to USB, take a screenshot or upload to the cloud, according to policies by area and role.
More than 600 predefined policies ready to activate: ID numbers, personal data, financial information and regulatory categories.
Three detection engines working together: patterns, dictionaries and digital fingerprints, with built-in OCR for images and PDFs.
Zero real data stored: the fingerprints are secure hashes; sensitive content is never replicated and never leaves your environment.
Exact-match detection designed to operate with virtually no false positives, per the manufacturer’s specification.
Flexible deployment to fit each institution’s reality: on premises, in the cloud or hybrid, covering Windows, macOS and Linux devices, inside and outside the institutional network.
When the Authority asks,
you will have documented answers.
GTB DLP does not just prevent leaks: it documents every event, every policy applied and every remediation. Reports by user, area and channel that answer exactly what the auditor and the oversight body ask.
A map of where the institution’s sensitive information resides.
Leak events detected and blocked, by channel.
Full traceability for internal investigations and proceedings.
Compliance status by regulatory framework.
No technology guarantees compliance with the LOPDP. What GTB DLP produces is the technical evidence that a compliance regime needs to be sustainable before the Personal Data Protection Authority. That difference, in the face of a sanctioning case file, is everything.
From the first conversation to operation,
in phases and with evidence in hand.
Assessment
Initial discovery scan: where your institution’s sensitive information is and how exposed it is today.
Scoped pilot
Deployment to a defined group with the highest-impact policies: email, USB and discovery.
Phased rollout
Gradual extension to the whole institution, channel by channel, without interrupting operations.
Operation and tuning
Policy tuning, reporting for senior leadership and continuous support from the Avanti team.
Each phase delivers concrete evidence: you decide to move forward with results in hand, not with promises.
The partnership
does not end with the sale.
Avanti represents specialized manufacturers and delivers professional services, managed services and consulting in Ecuador, Colombia and Mexico. For 15 years we have worked with organizations that manage critical information in regulated sectors, including the public sector, where the demand for traceability and control leaves no room for improvisation.
Our four lines of specialization, anti-fraud, cybersecurity, customer experience and governance, let us see data in its full institutional context: identity validates a transaction, the SOC protects it and governance certifies the regime.
A local team designs the policies with you, trains your people and operates the platform after implementation. The sale is the starting point, not the goal: that commitment translates into ongoing support throughout the entire operation.
It is time to act!
Let us arrange a data exposure assessment. In a few weeks you will know where your institution’s sensitive information is, which channels require immediate control and, above all, you will have the first piece of evidence for any request from the Authority.
Come back to the opening question: could you demonstrate today who touched the citizens’ data your institution safeguards? If the answer is “I don’t know,” you already know where to start.