The new General Data Protection Regulation (GDPR) involves a real change of attitude in those responsible for and in charge of personal data, who must have a proactive responsibility in the processing and handling thereof.
However, implementing all the necessary measures to comply with this strict regulation, and being able to demonstrate it, when the time comes, is not a quick or simple task.
In this post we provide some tips and tools to make this duty easier for you before it comes into force on 25th May.
This post is also available in Spanish.
Table of contents
Despite the new Regulation being approved in April 2016 and those involved having had the time to adapt to them, 90% of Spanish companies do not comply with this new data protection legislation. But at a European level, the figures aren’t much better. 80% of EU companies have still not adapted to their requirements.
This data is the result of a study carried out by the Consultancy Firm IDC and the IT giant Microsoft. In it, it is claimed that companies will invest 144 million euros in order to comply with the requirements set from Brussels.
This figure is not exorbitant as there are many important changes that the Regulation lays down both for people in charge as well as managers who process personal data and the countdown is coming to an end
The guiding principles of this new reform are responsibility, prevention and transparency. Always keeping this in mind, the basic advice that we offer you in order to comply with this regulation would be:
For certain companies the GDPR contains an obligation to appoint a Data Protection Officer (DPO). This figure will be responsible for advising, managing and controlling everything related to the regulation on data protection within the company, as well as acting as a link between the company and the AEPD (Spanish Data Protection Agency).
When the appointment of a DPO is not required, our recommendation would be to appoint an internal manager to train the rest of the team and hire a specialized legal-technical service for resolving queries.
Make sure to develop and implement security measures throughout your infrastructure to be covered against possible data security breaches. A good preventive system will minimize any possible risks.
For example, in addition to protecting networks and the cloud, protect equipment and smartphones. These devices are used to process and create new information and therefore are the main targets for cybercriminals.
Furthermore, be sure to verify that your suppliers are equally responsible with their systems and procedures, as the outsourcing of services will not exempt you from responsibilities.
You must know exactly what personal data you are processing, how you collect it, how it is transferred, stored and processed. Also, you must know who has access to such data, including third parties and collaborators, and if there is any risk of misuse or unauthorized access.
Once you have identified these parameters you must delete unnecessary information in order to respect the principles of data minimization, by which only the personal data that will be processed and for the declared purpose can be collected (Article 5.1.c).
How will individuals be able to legally give their consent? This is the second question which you must be able to answer. Once the GDPR comes into force, if you base the legality of the processing on consent, all individuals must grant it in a free, informed, specific and unambiguous way.
In order to be able to consider consent as unequivocal, the GDPR requires consent to be provided by means of a “clear affirmative action" that indicates the interested party's agreement. Therefore, companies should review the way in which they obtain and record the consent so that it can be verified before an audit.
More information > GDPR: what solutions do we provide for lawfully obtaining consent?
Another aspect that you should have in place is what procedure you adopt will be if a person wants their data to be deleted or transferred. With the GDPR comes these new rights. The right to data portability and the so-called right to be forgotten.
As of 25th May those interested will have the right to request the direct transmission of their personal data to other service providers with whom the interested party has a relationship. They may also prevent the dissemination of their personal data through the internet when publication thereof does not meet the requirements.
The new Regulation makes it mandatory to communicate, to the competent authority of each country, any data security violation, within 72 hours of becoming aware of the situation. Therefore, it is of the utmost importance to establish a company communication plan and that all professionals are aware in the event of a failure in the protection system. .
The Regulation reinforces the information that must be provided to interested parties, therefore companies should review their privacy notices.
For example, they must include the legal basis on which they legitimize the processing of the data, the retention periods thereof and what the available mechanisms are for exercising the rights of transmission and rights to be forgotten, for example.
It is important to remember that the Regulation expressly requires that the information provided be easy to understand, so it must be presented in clear and concise language.
We hope that when the date of the effective application of the Regulation arrives, most of the companies will be able to demonstrate compliance, both to their own clients and to the National and European supervisory authorities.
For this it is important that, in this final phase, companies invest all resources to adapt to the necessary legal, technical and organizational measures for the lawful processing of user and customer data.
If you have any questions concerning how to obtain your clients’ consent for collecting and processing their data, you can download the guide which you will find below where we explain, in greater detail, our specifically designed technological solutions in order to comply with this Regulation. If you prefer you can get in touch with us by email firstname.lastname@example.org or by calling us on 93 551 14 80.
This post is also available in Spanish.