On May 25, 2016, the long-awaited General Data Protection Regulation came into force, a European regulation of direct application in all member states, which aims to unify the effective application of the regulation of this matter throughout the European Union. However, although it has entered into force on the date mentioned above, it
Data Protection Regulation: How will it affect us?
The measures of the new Regulation will not be enforceable until 2018, however, the entry into force, although its application will be suspended for two years, will involve many nuances, new forms or modified obligations, as well as a new penalty regime.
In addition to the current principles of legitimacy, information, purpose and data quality, we have to handle the new principles that are absolutely necessary given the exponential technological development in which we find ourselves:
- Privacy by design
- Privacy by default (Privacy by default)
- Accountability
which seek to establish the protection of personal data as an essential element of any technical, technological or administrative process involving the processing of personal data.
The perspective for data controllers and processors will change from a “tick” compliance model, i.e. completing the points required by law, to that of a risk manager and analyst.
The registration of files, as such, will disappear from the application of the Data Protection Regulation, however, this does not exempt, far from it, from documenting compliance with the security measures taken, obtaining informed consent and other obligations in the treatment. Thus, we will have to implement the corresponding Privacy Impact Assessments based on the analysis of the risks that the products or services may pose to the data protection of those affected by the processing of their data. From this analysis, we must obtain as a result the specific procedure or procedures to manage the risks, adopting the necessary measures to mitigate or eliminate them.
It is also worth mentioning that another challenge will be the need to implement in the organization the figure of the Data Privacy Officer in some cases – and in a way that still presents some uncertainties -.
Companies should bear in mind that as of May 2018 a risk analysis of the data processing we carry out must be carried out, and it may be useful to start now to:
- identify the type of treatments they perform,
- the degree of complexity of the analysis to be carried out,
- implementing impact assessments
- review the avenues for the exercise of rights, etc.
Specifically, how will it affect digital businesses?
First. As in any organization that processes data, it will be necessary to carry out a risk analysis of the processing operations in order to determine what measures to implement and how to implement them. These analyses can be very simple operations in activities that do not carry out more than a few simple processing operations that do not involve, for example, sensitive data – for example, an e-commerce of pure sale of goods – , or more complex analyses on activities that develop many processing operations, that affect a large number of data subjects or that by their characteristics require a careful assessment of their risks (mass download apps, digital marketing agencies with customers from different segments, …).
Second. The obligation of active responsibility will entail a major revision of processes, since the Regulation considers it clearly insufficient to act when an infringement that generates damage has occurred. Therefore, we must be very attentive to software developments that must foresee, from their conception, compliance with security measures aimed at the protection of the personal data they manage.
Third. We will have to review the way in which we obtain and record consent. Practices that fall under the so-called
[cta titulo=”¿Quieres más información sobre Derecho digital?” imagen=”/wp-content/uploads/2017/07/derecho-digital-imagen_retocada.png” parrafo=”Te facilitamos las soluciones legales que necesitas para el correcto desarrollo de tu negocio y cualquier actividad empresarial o de marketing que lo requiera.” enlace=”https://new.agenciareinicia.com/contacto/” boton=”ME INTERESA”]
Fourth. We will have to review all our legal notices regarding the privacy section. For example, we will need to explain the legal basis for data processing, the data retention periods and that data subjects can address their complaints to the Data Protection Authorities, all in a way that is easy to understand and presented in clear and concise language.
Fifth. The Regulation, in addition to applying as it has until now to controllers and processors domiciled in the U.S., is extended to controllers and processors not established in the E.U. provided that they carry out processing operations derived from an offer of goods or services to EU citizens or as a result of monitoring and tracking their behavior. This clearly sounds like Google and many other providers of digital tools outside the E.U., whose use is typical of digital processes, so it will undoubtedly have repercussions on the way we have been using certain tools up to now.
In short, the new regulatory framework from the Regulation, international relations in the protection of personal data, the third industrial revolution that we are living: digitization,
Internet, communications, RR.SS., cloud, cyber security, big data … as well as the fourth that is already overlapping: robotics, nanotechnology, the Internet of things, genetics, … are challenges that in a short time will rewrite the perspective we have of privacy and protection of personal data.
David García
ICT Lawyer
