On May 25, 2018, the new General Data Protection Regulation (GDPR) approved by the European Union, will enter into force. Its application will affect all companies, regardless of their size and sector of activity, and noncompliance with it could entail fines of up to €20 million, or the equivalent of 4% of the company’s turnover, should a personal data breach not be managed properly.
This new regulatory framework, approved by the European Parliament on April 14, 2016, seeks to protect personal data and the manner in which organizations and companies make use of, store and process it. In this regard, the legislation provides for a series of measures aimed at controlling how companies can use information relating to the personal data of individuals, to whom certain rights are recognized.
In order to contribute towards helping your company adapt to the new scenario that will arise in late May 2018, here are some of the main changes introduced by the legislation:
Territorial application of the legislation:
The new regulation, unlike the previous legislation which had been shown to be very ambiguous in these cases, applies not only to all European companies, but also to all international companies managing the data of individuals residing in the European Union. This is why these companies must appoint a representative within the EU.
Explicit consent for data processing:
The conditions for proper data processing by companies have been reinforced, so starting May 2018, the request for consent to personal data processing must be in an intelligible and easily accessible form, using clear and plain language for the consumer, specifying how the data will be used. Likewise, the new GDPR stipulates that revoking consent to the use of data should be as easy as granting it.
Notification of possible security breaches:
Up to now, only organizations such as telecommunications companies or banks were obliged to report them, but now, reporting any security breach that might entail a violation of users’ privacy will be mandatory for all companies, regardless of their scope of activity. The companies that have breaches must inform the data protection authorities and affected data subjects within 72 hours.
In this scenario, certified e-mail [link to eEvidence homepage] becomes an effective, low-cost tool in order to certify having fulfilled this obligation to inform, as it makes it possible to obtain proof of electronic communications sent.
The figure of the DPO:
The Data Protection Officer becomes a key figure in the new regulatory framework and their role will be to ensure compliance with the legislation within their organization, although different situations have been provided for:
- Organizations and public institutions, as well as companies with more than 250 workers, must appoint a person for this position.
- For companies with less than 250 employees, the DPO will be mandatory when they need to carry out systematic and regular tracking of personal data processed for monitoring or market research, risk analysis or credit data or solvency, as well as when processing data classified as requiring high protection.