General Regulation of Data Protection
As of May 25, we will need to have the unequivocal consent of all the people and companies of which we have some information, in whatever format, in order to use it. And more important, we’ll have to tell what data we have and what use they let us do of the data.
A new data protection law comes into effect throughout Europe: GDPR (General Data Protection Regulation). A regulation that affects all those companies that treat data of European citizens even if they are from the United States, such as Google or Facebook.
The large fines faced by those who do not comply with it are one of the most controversial and mediatic points. But behind these acronyms also hides a new way of informing users about what information we give and what it is used for.
What is GDPR (or RGPD)
GDPR, by its abbreviations in English (General Data Protection Regulation), is the new norm that regulates the protection of the data of the citizens who live in the European Union.
The regulation entered into force on May 24, 2016 but will be mandatory as of May 25, 2018.
During these two years, the Organic Law on Data Protection (LOPD) has remained in force, but it has an expiration date. In fact, it is expected that in a few months a new law will be approved (it is currently in the process of parliamentary procedure) that allows or facilitates the application of the Regulation. This new law cannot contradict GDPR, but it will better define some of its aspects (when a user is considered minor, for example)
It is the first rule on this matter that affects all the countries of the European Union and therefore unifies both rights and obligations.
In fact, for years it was a claim of many companies and sectors, such as technology, which had to face 28 different laws on the use and treatment of personal data to offer their services in Europe.
Who does GDPR affect?
This new regulation determines that all companies, regardless of their country of origin or activity, must comply with it if they collect, save, process, use or manage any type of data of citizens of the European Union. That is, Apple or Amazon (to give some examples) are also subject to it.
And, of course, it affects all of us who live in the European Union
Express consent is a fundamental right in the processing of personal data. In this sense, the regulation requires that it be free, informed, specific and unequivocal, and must never be inferred from the silence or inaction of users. For this reason, the new regulations require that the interested parties express their consent in an express and revocable manner, so that as of May 25, 2018, no other types of consent will be accepted.
Transparency and information to the interested party, all information provided to the interested party will be provided in a concise, transparent, intelligible manner, and must be easily accessible, with a clear and simple language. Adaptation of clauses and information policies, it is mandatory to inform clients of the novelties established by the new LOPD regulations, through the company’s communication tools, such as web pages, email or newsletters.
Novelty of the evaluation of the impact on data protection, it is a tool that aims to ensure the privacy of personal data from the design of the treatment and, thus, analyze if it puts the rights of the interested parties at risk. Once the results have been obtained, the relevant security measures must be applied.
Right to data portability, this right implies that the data of the interested party is transmitted (upon request) from one responsible person to another, without the need for them to be previously transmitted to the interested party, if this is technically possible.
Appointment of a delegate of data protection, it is necessary that companies that have a mass treatment of personal data have a data protection delegate (DPO).
Obligation to notify security failures, with the new regulation will be notified the so-called “data security violations”. The deadline for this communication is 72 hours from the moment in which the person in charge has proof of this event.
Introduction of certificates and stamps, in order to help companies, boost their corporate reputation and competitiveness, new certification mechanisms are introduced to ensure compliance with European regulations and the quality of data protection.
Adherence to codes of conduct, facilitate the correct application of the Data Protection Law in different sectors. These codes are voluntary and only force those who commit to apply its provisions.
Waiting to have the regulation of the norm approved by the same parliament, it is necessary that we start working to have a correct database, validated and authorized. Apart from being clear and understandable we need to prove it.