Express
Bases under 50K records · point-in-time audit.
$890 USD
- Diagnosis of the 9 principles
- ARCO capacity evaluation
- Executive + technical report
- Gap analysis with prioritization
- 14-day delivery
- Bilateral NDA signed
Point-in-time audit · ANTAI-ready report · 14-day delivery
Legal audit of your database. We tell you today what ANTAI would find tomorrow.
Independent diagnosis of your Panama database: how it was built, how it is maintained, what real consent exists, which ARCO rights you could honor if a request arrived, what documentation you would hand over if ANTAI audited you on Monday. Deliverable technical-legal report. No vague language. With actionable risk score.
The reality of enforcement
ANTAI is already sanctioning. Real fines are public.
Law 81 on Personal Data Protection came into force on March 29, 2021. Executive Decree 285 regulated it two months later, on May 28 of the same year. Since then the National Authority for Transparency and Access to Information, ANTAI, has had jurisdiction to process complaints and sanction. The awareness program has trained more than thirty sectors, which means one simple thing: enforcement is no longer theoretical.
These are three public files documented in local press. The amounts seem low compared to the European GDPR figures, but the picture shifts quickly considering the additional reputational cost and the reform proposed in January 2026 that multiplies the fines tenfold.
2022 · Public case
$1,000
Digital media outlet sanctioned for disclosing a marriage certificate without the data subject authorization.
Source: La Estrella de Panamá
2023 · Public case
$4,000
Local newspaper fined for publishing the photograph of a public official without express consent for that use.
Source: La Estrella de Panamá
2026 · Bill
$100,000
Bill submitted in January 2026 proposes raising the fine ceiling to one hundred thousand balboas, ten times the current cap, adding sanctioning power against data controllers that re-offend within the same fiscal period or that affect sensitive minor data under a specific aggravating clause.
Source: sucre.net · legal analysisThe other vector that changed the conversation is extraterritorial scope. The law applies to foreign companies that process data of Panama residents or that are domiciled in Panama. For a regional retailer with Panama customers, an international marketing agency with multi-country bases, or a SaaS that lists Panama users, compliance is no longer optional: the local regulator has jurisdiction.
More important for the banking, healthcare and legal sectors: Law 81 applies supplementarily when the sectoral law does not define a specific sanction. That means a bank can be sanctioned by the Superintendency under its own framework and, in parallel, by ANTAI under Law 81 if the general principles were not respected. The dual regulatory flank is real.
Interactive calculator
What is the real risk of your base today?
Estimation based on five variables observed in real audits 2024-2026. It does not replace a formal audit but provides a useful order of magnitude for prioritizing decisions.
Risk score · Law 81
Adjust the five variables. The score recalculates in real time.
Size of your base
Average age
Primary origin
Primary sector
ANTAI database registration status
0
Score / 100
Low risk
Your base is in good shape for point-in-time audit.
Current exposure
$1,000 fine
2026 reform exposure
$10,000 fine
Suggested audit tier
Express · $890
Remediation time
2 — 4 weeks
Low score is not zero. Even with clean consent, formal documentation and current ANTAI registration require continuous maintenance.
Scoring model based on 60+ real audits 2024-2026, weighted by gap severity detected. Indicative estimation, not formal diagnosis.
What the audit verifies
The nine principles of Law 81, evaluated with technical evidence.
Law 81 establishes nine general principles governing the processing of personal data. The audit does not stop at the legal reading of what each one says: it translates each principle into concrete technical evidence verifiable in the database, the system, or the client documentation. That is what makes it possible to assemble a report that holds up under ANTAI scrutiny.
| # | Principle | What it requires | Evidence we verify |
|---|---|---|---|
| 01 | Lawfulness | Processing must rely on prior consent, contract, legal obligation or special law. | Opt-in logs + documented legal basis |
| 02 | Fairness | The controller cannot use deceptive practices to obtain data. | UX audit of forms and check-boxes |
| 03 | Purpose | Data is only processed for the specific purpose declared to the data subject. | Privacy policy vs verified real use |
| 04 | Proportionality | No more data is requested than necessary for the purpose. | Field inventory vs justification |
| 05 | Truthfulness and accuracy | Data must be accurate, current and complete. | Update procedure + last verification |
| 06 | Security | Technical and organizational measures appropriate to the risk. | Encryption at-rest + in-transit + access logs |
| 07 | Transparency | Clear information to the data subject about what is done with their data. | Privacy policy accessible and understandable |
| 08 | Confidentiality | Duty of secrecy even after the relationship ends. | NDAs signed with staff + sub-processors |
| 09 | Portability | Data subject can obtain a structured copy of their data in a common format. | Export procedure + JSON or CSV format |
To those nine principles add the five ARCO rights plus portability that the law recognizes for each data subject: access, rectification, cancellation, opposition and portability. The audit verifies that the organization has real operational capacity to respond to an ARCO request within the legal window of ten business days, which means a documented procedure, named officer, tested response format and technical system that allows running the operation without destroying referential integrity of other data.
What we deliver
The report has four sections.
It is not a generic compliance PDF. It is an actionable document, with risk prioritization, estimated remediation cost, and specific references to the article or decree that applies in each case.
Section 01 · Executive summary
For the CEO
- Global risk score (0-100) with interpretation
- Top 3 critical findings in non-technical language
- Current economic exposure estimate
- Recommended decision (status quo / urgent remediation / overhaul)
Section 02 · Technical diagnosis
For the CTO or IT team
- Evaluation of the 9 principles with attached evidence
- Field inventory vs justification for each one
- ARCO procedures and real measured times
- Current technical stack and detected security gaps
Section 03 · Legal analysis
For the legal area
- Specific references to Law 81 articles and DE 285
- Risks of sectoral supplementary application
- ANTAI registration status and observations
- Law 81-compliant consent templates
Section 04 · Remediation plan
For project management
- Findings prioritized by risk and cost
- Suggested timeline in weekly sprints
- What your internal team can resolve
- What is worth subcontracting (to EMP or to others)
Transparent pricing
Three tiers based on size and exposure.
Scope is calibrated after a 30-minute call with no commitment, where we understand real volume, sector and urgency.
Professional
Up to 250K records · audit + remediation.
$2,400 USD
- Everything in the Express tier
- Partial remediation included
- Law 81-compliant templates
- Phone advisory for ANTAI registration
- Sectoral supplementary analysis
- 21-day delivery + 30 days post-delivery Q&A
Enterprise
No limit · audit + 90 days monitoring.
$4,800+ USD
- Everything in the Professional tier
- Complete audit with no size limit
- 90 days post-remediation monitoring
- Data Protection Officer advisory
- Coordination with legal department
- Priority support for ANTAI citation
The real questions
What the General Counsel asks on the first call.
"We already have internal lawyers. Why do we need an external audit?"
Two operational reasons. First: the external audit turns compliance into evidence documented by a third party, which before ANTAI or before a judge carries better evidentiary weight than internal self-declaration. Second and more practical: internal lawyers typically know Law 81 at the legal level but do not translate the principles into technical evidence verifiable in the database. The audit is bilingual between legal and technical, and that is exactly the angle where gaps emerge. The technical integrity of the report does not compete with your legal team, it complements them with data they do not have time to extract.
"Fines are low. Is it really worth auditing now?"
Three reasons to audit before later. First: January 2026 a bill was submitted that raises fines to one hundred thousand balboas, ten times the current cap. The window to comply before it gets expensive is closing. Second: ANTAI has already issued real sanctions (one thousand dollars in 2022, four thousand in 2023) and the direction is active, not passive. Third and most important for regulated clients: the reputational cost of a public sanction exceeds the fine amount many times over. For a Panama bank a single ANTAI file can affect the relationship with the Superintendency of Banks.
"We have a ten-year-old database. Will the audit destroy it?"
No. The audit does not remove anything by itself. What it does is identify what percentage of the base can be defended with auditable consent and what percentage cannot. The operational decisions (re-confirm consent via re-opt-in campaign, segment use, archive contacts without defense) are made by the client. What we do is tell you honestly what works and what does not, without makeup to maintain the apparent size of the base. Three out of four audits we ran ended with a re-opt-in campaign to preserve the defendable subset.
"If you find something wrong, are you required to report to ANTAI?"
No. EMP is an independent provider, has no contractual relationship with ANTAI nor a whistleblower role. Audit findings are the property of the client and delivered under bilateral NDA. The decision to voluntarily report, remediate internally or otherwise manage the risk found belongs exclusively to the client and their legal team. This is a critical difference from external audits that have a regulatory link (Sarbanes-Oxley financial audits in the US, for example). Here there is no forced bridge to the regulator.
"My company is outside Panama but we have Panama customers. Does it apply?"
Yes. Law 81 applies extraterritorially when data of Panama residents is processed or when the data controller is domiciled in Panama. For foreign companies the audit has an additional component: validating the legitimacy of international data transfer and contractual agreements with sub-processors outside Panama. This brings verification against equivalent standards (GDPR for European companies, CCPA for California) and design of the ARCO response flow from non-Panama infrastructure. The Professional tier covers this analysis at no additional cost.
"How is your audit different from a Panama law firm that also offers this?"
Panama law firms do excellent work in the legal dimension. They are the ones who write the DPAs, who advise before ANTAI, who run litigation when there is already an open file. What they do not do, except in very specific cases, is translate the Law 81 principles into verifiable technical evidence in the database. EMP has been running Panama databases for sixteen years. The audit runs on the infrastructure, not on paper. For serious clients the recommended combination is: law firm for the legal dimension, EMP for the technical audit, without cannibalization of roles.
Frequently asked
What ends up coming out in the technical meeting.
How does this audit differ from the Law 81 compliance service?
The audit is a point-in-time diagnosis: technical and legal snapshot of your database at a given moment. It identifies gaps, measures risk, delivers a report. The Law 81 compliance service is ongoing: DPA implementation, ANTAI registration, team training, maintenance of auditable consent, ARCO rights handling month to month.
Most clients start with the audit to understand where they stand and then decide whether to contract ongoing compliance or resolve gaps with their internal team. The Law 81 compliance page has the detailed ongoing packages.
What happens if you find that my base does not comply with Law 81?
Most common. About three out of four audits we ran during 2024-2026 found gaps in consent, ANTAI registration or ARCO capacity. The audit does not end with the diagnosis: the report comes with a remediation plan prioritized by risk and cost. Legal-critical comes first, marginal at the end.
The client decides what to resolve internally and what to subcontract. Technical integrity beats selling remediation: if your internal team can resolve 80% of the gaps, we tell you so.
How long does the audit take?
Delivery times by tier:
- Express: 14 days from NDA signing to report delivery
- Professional: 21 days including partial remediation phase
- Enterprise: 30 days for complete audit + 90 days of monitoring afterwards
The audit starts with a technical discovery session (1-2 hours via video call), remote documentary review, technical validation of how consent is stored, and interview with the client legal or technology lead.
Is the audit confidential?
Yes. We sign a bilateral NDA before any access to client information. Personal data in your base never leaves your infrastructure: the audit runs on anonymized samples or on metadata of the base. The final report is client property.
EMP does not share findings with third parties, not directly with ANTAI, nor use them as case studies without express written authorization.
What if I receive an ANTAI citation before the audit finishes?
The legal deadline to respond to an ANTAI citation is tight and the response requires specific documentation. If you receive the citation during the audit, we accelerate the timeline to deliver the critical documents first: auditable consents, processing register, current privacy policy and ARCO rights procedure.
Response to the citation is the responsibility of your legal team, but the technical documentation they need we deliver within the 5 business days that Law 81 sets for motions for reconsideration.
Does the report work as evidence before ANTAI or before a judge?
The report is technical opinion from an independent provider with sixteen years operating Panama databases. Its probative value depends on context.
As evidence of good faith before ANTAI it shows that the organization took diligent steps to review its compliance. As evidence before a judge it typically requires ratification in court or complement with a formal forensic email investigation, a service we offer separately and which has been accepted in Panama courts since 2022.
Does it apply if my company is outside Panama but I have Panama clients?
Yes. Law 81 applies extraterritorially when you process data of Panama residents or when the data controller is domiciled in Panama. For foreign companies the audit has an additional component: validating the legitimacy of international data transfer and contractual agreements with sub-processors outside Panama.
This brings verification against equivalent standards (GDPR for European companies, CCPA for California) and design of the ARCO response flow from non-Panama infrastructure.
Why audit now if fines are still low?
Three operational reasons:
- 2026 reform: bill raises fines to $100,000, ten times the current maximum
- Active ANTAI: has already issued real sanctions, the direction is not passive
- Reputational cost: a public sanction exceeds the fine amount for regulated clients
For banking, healthcare and legal a single ANTAI file can affect the relationship with the corresponding sectoral authority.
Discovery call. Thirty minutes.
Before proposing any tier we run a 30-minute call with no commitment to understand real volume, sector, urgency, regulatory exposure and current compliance status. If after that conversation the audit does not fit, we tell you so. Technical integrity beats closing a bad fit.
No commitment · 30 minutes · Optional NDA · Mon-Fri 9-18 GMT-5