All European companies are aware that in order to process their customers' personal data, workers or suppliers must comply with the corresponding national data protection laws.
But with the emergence of the new European Data Protection Regulation (GDPR) doubts arise: Does the way in which data are currently being processed comply with the new Regulation? If not, what must be done to comply with it?
This Regulation, which came into force in May 2016, will not be applicable until May 2018. However, companies should begin to familiarize themselves with the new requirements and procedures to avoid sanctions when the time comes.
Below, we present the 10 most relevant changes that all companies must be aware of in order to comply with the new GDPR.
This post is also available in Spanish.
New Data Protection Regulation: What do companies have to do to comply with it?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, text with EEA relevance.
This Regulation modernizes the European data protection regulation and unifies the legislation of the different member states, which implies an advance towards the achievement of a true digital single market.
It has been designed to allow citizens better control of their personal data and thus to generate greater confidence for European consumers who make online purchases in different states of the union.
Although compliance will be required as of May 25, 2018, it is necessary that affected individuals begin familiarizing themselves with the new GDPR, since it extends the obligations of European companies, self-employed individuals, public administrations, and those companies located outside of the European Union that offers their products or services to users of member countries, or those that receive personal data from the EU.
Due to its importance and extension (it consists of 173 previous recitals and 99 articles), we outline below the 10 main new changes introduced by the European Data Protection Regulation:
10 main features of the new European Data Protection Regulation
1. New principles
Art. 5 of the GDPR contains the list of principles to be considered in the processing of personal data. We highlight the following:
Principle of Transparency (5.1.a)
This principle focuses on facilitating relations between the data controller and the data subject, as well as between the data controller and the control authorities.
A "record of processing activities" appears in the new GDPR.
This record will take place internally and will contain, among others, the following data:
- name and contact details for the person in charge of the processing
- name and details of the Data Protection Officer
- processing purpose
- description of data subject categories
- description of processed data categories
- international data transfers
Principle of purpose limitation (5.1.b)
"Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (...)."
These explicit and legitimate purposes must be determined at the time of data collection.
Data minimization (5.1.c))
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
In the golden age of Big Data, this principle requires the application of appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for each of the specific processing purposes are processed (Article 25.2).
2. New rights of citizens
In the European Data Protection Regulation, the following new rights are recognized:
- Right to transparent information, (Article 12)
- Right to erasure (right to be forgotten), (Article 17)
- Right to restriction of processing, (Article 18)
- Right to data portability, (Article 20)
Due to their important practical consequences, we analyze in more detail the right to be forgotten and the right to portability:
It also obliges those responsible for the data that have disseminated the information to third parties to inform them of the obligation to delete any link to the published data, as well as to eliminate any copy or replication of said data.
Its objective is to eliminate any trace of the data of any person who wants to be permanently "forgotten" from the network and search engines.
The new GDPR provides for the possibility of transmitting data from one data controller to another, so that the data subject will have the right to have personal data directly transmitted when technically possible.
A typical example is when a private individual wants to change their telecommunications operator or electricity company: portability allows the individual's personal data to be transferred directly to the new chosen company, in an agile and simple way for the end user.
In addition to incorporating these new rights, the GDPR also requires that visible, accessible and simple language procedures be created to facilitate data subjects in the exercise of their rights. This will also have to be possible through electronic means as indicated in Recital 59.
3. Expansion of the obligation to provide information
The Regulation requires the obligation to report on new aspects:
- the legal basis for data processing must be explained
- the conservation period must be reported
- the possibility of making claims must be reported
- the other rights incorporated in the new GDPR must be reported
It is therefore advisable to review the information clauses that have been included in the data collection processes and include the new sections to comply with the requirements of the GDPR.
4. Obtaining consent for data processing
The new GDPR indicates that to be able to consider that data subjects grant their consent for the processing of their data, there must be a statement by the data subject or a positive action that expresses his or her agreement.
Silence, checked boxes or inaction will not constitute proof of consent (Recital 32 of the GDPR).
On the other hand, other important changes have been made in relation to the processing of minors' data.
Since May 2018, information society services may not be offered to children under 16 years of age without the consent of their parents or legal guardian, unless a national law establishes a lower age that, under no circumstances, will be less than 13 years of age.
Must explicit consent be obtained for existing clients in accordance with the new GDPR?
One of the aspects causing the most debate is the way in which the consents of clients or users obtained prior to the entry into force of the new European Data Protection Regulation are going to be regulated.
In this sense, the new GDPR is blunt: if the consent was not clearly identified or was based on tacit forms or by omission, it must be requested again.
It will have to be taken into account, because data processing without user consent is understood to be a very serious infraction according to the new regulation.
5. Establish security measures and actions
The new GDPR specifies that security measures be applied taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of natural persons. (Article 25 Data protection by design and default).
The new European Data Protection Regulation speaks of "appropriate technical and organizational measures" to ensure a level of security appropriate for the risk, but does not specify what kind of measures should be applied.
The GDPR, under the principle of accountability (Article 5.2), requires the data controller to apply the appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing is in compliance with the Regulation.
The GDPR proposes effective adherence to codes of conduct or certification mechanisms as effective mechanisms for verifying compliance (article 42.3 of the GDPR).
Therefore, what the GDPR requires is that companies have a conscious, diligent and proactive attitude towards data processing, being able to demonstrate, if necessary, the security measures applied.
6. Assessment of the impact of processing personal data
Another new obligation established by the GDPR is to carry out an impact assessment (Privacy Impact Assessment) for organizations that perform data processing that may involve a high risk for the rights and freedoms of natural persons. The origin, nature, particularity and severity of such risk must be assessed (Recital 84 of the GDPR).
7. Failure communication to the data protection authority
Another of the most important changes is a new obligation that the GDPR imposes on the data controller: notifying data security violations.
In other words, the data controller must notify the competent authority of any security breach that has occurred within 72 hours of its occurrence.
Additionally, if the breach involves a risk for the data subjects, they should also be notified.
8. The Figure of the Data Protection Officer
The GDPR dedicates an entire section to a new figure, given the relevance it has for the future: the Data Protection Officer.
This person is the company's data protection adviser and assumes competences in matters of coordination and control of compliance with data protection regulations.
This figure is not mandatory for all organizations: an officer will only be required in public companies, companies that have large-scale processing or those that collect especially sensitive data or data related to convictions or criminal offenses.
Among the functions that will be entrusted to a data protection officer are, among others, the following:
- monitoring the implementation and application of internal policies
- training staff
- organizing and coordinating audits
- managing the data subjects' data and the requests presented in the exercise of their rights
- ensuring the conservation of documentation
- supervising the execution of the impact evaluation
- acting as point of contact for the supervisory authority
The Data Protection Officer shall be designated with professional qualities and, in particular, with expert knowledge of data protection legislation and practices and the ability to fulfill the tasks set out in the GDPR.
The Officer may be chosen from existing staff in the organization of the data controller or the tasks may be fulfilled through a service contract.
9. Data protection authorities
The GDPR continues to maintain the existence of the different national regulators and their functions, but they will now be coordinated by a body dependent on the European Commission: the European Committee for Data Protection.
For the holders of the data, a single-window system is established. This means that in case that they have to make a claim within any of the Member States, they can go before their country's authority.
For their part, those responsible for and in charge of processing data with centers in different Member States, will be able to centralize the organization of their Privacy Management System in a single country (establishing a main control authority).
10. Higher sanctions
One of the issues generating the most debate and controversy is the exponential difference in the amount of sanctions set out in the new GDPR.
If until May 2018 the sanctions can range from €900 to €600,000, after that date, no minimum amounts are established, and the maximum can reach €20 million or up to 4% of the offender's business volume.
The 10 most prominent changes set out in this new Regulation are:
1. New principles: transparency (record of processing activities), purpose limitation and data minimalization.
2. New rights of citizens: right to be forgotten and right to data portability.
3. Expansion of the obligation to provide information
4. Method of obtaining consent: a statement from the data subject or a positive action that expresses his or her agreement.
5. Establishment of security measures and actions.
6. Obligation to carry out Impact Assessments to determine regulatory compliance.
7. New notifications to the Control Authority: data security violations.
8. The creation of the figure of the Data Protection Officer (DPO).
9. Application of the "Single-Window" concept so that interested citizens can carry out procedures, even if these affect authorities with regard to other member states.
10. Increase in the amount of sanctions.
These are just some of the many new features included in the new Data Protection Regulation.
Companies have until May 25, 2018, to adapt their internal processes to the requirements of the GDPR.
Companies must take advantage of this period to adapt the legal, technical and organizational measures in the collection of their users' and customers' data so that when the Regulation becomes effective, they can guarantee their compliance, both with their own clients and with the national and European supervisory authorities.
This post is also available in Spanish.