During the coming months, companies must implement the necessary changes to adapt to all these changes if they don’t want to be exposed to administrative sanctions. We explain some of the basic concepts to know the main responsibilities of companies and how to deal with them.
The General Regulation of Data Protection or GDPR (for its acronym in English) is a new European regulation on personal data protection that incorporates new obligations for companies. The GDPR replaces the previous 1995 data protection directive, which current UK law is based upon.
Although the GDPR was approved in 2016, it will not enter into force until May 25, 2018. From that date, it will be mandatory in all European Union countries and its violation will bring about important sanctions. These range from 10 million euros or 2% of turnover for a slight lapse to 20 million euros or 4% of turnover for serious infringements.
In addition to its scope of compliance and penalties, the GDPR is also stricter in terms of consent. Limitations are placed on the transfer of data outside the EU, notification is required of undue access to data and incorporates the rights of deletion, forgetfulness and portability of data.
During the coming months, companies must implement the necessary changes to adapt to all these changes if they do not want to be exposed to administrative sanctions. We explain some of the basic concepts to know the main responsibilities of companies and how to deal with them:
Glossary of terms for understanding the new personal data law – GDPR
Is all information about an identified or identifiable physical individual.
The person must grant it expressly, freely, unequivocally and with full knowledge. For its part, the company has to request it clearly and separate from other terms and indicate how it plans to use the data. In addition, it has to be easy to remove and children under 16 need adult authorisation.
Principle of proactive responsibility:
It requires organisations to analyse what data they handle, for what purposes and what kind of actions and processes they perform. A record (internal) of all data and the treatment performed on them must be maintained. Supervisory bodies may request a data controller, at any time, to demonstrate that they are complying with the regulations.
Approach to risk:
It is no longer enough for internal procedures to comply with the law, organisations must also be aware of external risks. Our systems must be prepared to guarantee the security of the data we deal with. If an improper use occurs (a hack, a leak, a mistaken communication) the supervising body must be informed within 72 hours.
Data Protection Representative:
The GDPR requires the function of a Data Protection Officer, which must be named in all public bodies and in those organisations that deal with large-scale or especially sensitive data. It can be an internal or external appointment, and that person will need legal and computer skills to be able to advise and supervise data processing and co-operate with the supervisory authority.
Adapting to GDPR will be a considerable effort for companies and, therefore, it is best to start as soon as possible. But it also represents a good opportunity to move forward in digital transformation, improve data processing processes and increase the agility and efficiency of your organisation.