Since May 25, 2018, any European or non-European company, if it markets its products or services in a European Union country, must adapt to the General Data Protection Regulation (GDPR) or general data protection regulation.
What is the GDPR?
The Data Protection Regulation or EU Regulation 2016/679 of the European Parliament and the Council came into force on April 27, 2016 and has been mandatory for all companies in the European Union since May 25, 2018. It grants citizens greater control and security over their personal data in the digital world.
The GDPR extends their rights to decide how they want their data to be processed and how they want to receive information from companies.
What do companies need to consider in relation to the RGPD?
Beyond the penalties that can result from non-compliance with the GDPR, there are still many SMEs that do nothing in the face of this European regulation. In essence, the Data Protection Regulation strengthens control over personal data and gives every individual the right to have it used or not by any entity, public or private, as well as how to access it and withdraw access.
However, many other companies are looking for help in making GDPR a differentiating aspect and a source of added value. Their new strategy is to consider that there is no better business value than knowing in depth the data provided to them by their current and future customers.
Given the legal framework resulting from the European Data Protection Regulation, companies need to consider the following aspects:
This is any information concerning an identified or identifiable natural person, which differs from the former Organic Law on Data Protection (LOPD). It may be a name , location data, an online identifier or one or more elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of the said person.
There’s more transparency with the people whose information is accessible. From now on, with the European Data Protection Regulation, companies must explain to users from whom they collect data why they are doing so, and prove that this data is only used for the purposes for which it was collected.
Users, meanwhile, will have the option of withdrawing their consent and deleting the information from the company’s servers. There is no longer tacit consent. The General Data Protection Regulation requires many more controls to ensure that people who share their data do so with full knowledge of the facts. From now on, companies must review and redo all contracts and clauses.
It is up to each company to determine the levels of risk it faces and the measures it needs to adopt to ensure that the information of all European and non-European residents is properly safeguarded and used. There is no longer any uniformity in data security. No one should wonder what GDPR is.
Companies must be proactive in communicating faults. In the event of a data leak, the data controller must inform of any security flaws. This expert must have an effective system for reporting or communicating the decision to data subjects in the event of a risk to their rights.
The GDPR encourages both public and private bodies to set up a personal data protection officer (DPO). This is a key figure in the new European regulations. His mission is to identify all possible risks and seek their solutions. His presence is mandatory for all public administrations and organizations with large-scale processing of personal data. They can be internal or external to the company.
The General Data Protection Regulation considers that parental consent will be required to process the data of minors under the age of 16 in online services. Member States may legislate to lower the age of consent, although in no country can the requirement for parental consent be lower than 13.
The Data Protection Regulation pays particular attention to the implementation of certification schemes and opens up various possibilities for their management. Certifications can be granted by data protection authorities, both individually and collectively from the European Committee, or by duly accredited entities.
Privacy by Design stipulates that any corporate action involving the processing of personal data must be carried out with data protection and privacy in mind at every stage. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any other department dealing with personal data, must ensure that privacy is built into a system throughout its entire lifecycle. Until now, adding security or privacy functions at the end of a long production process has been fairly standard.
Privacy by default means that once a product or service has been made available to the public, the strictest privacy settings should apply by default, without any manual intervention by the end-user. Furthermore, any personal data provided by the user to enable optimal use of a product should only be retained for as long as is necessary to provide the product or service. If more information is disclosed than is necessary to provide the service, there is a data breach.
Due to all the changes concerning the Organic Law on Data Protection (LOPD), it is necessary for companies to refer to guides that define the concepts, methodologies, examples and models to follow, recommendations and even lists of possible GDPR breach risks. These are not standard guides, but must be adapted to each company.