The General Data Protection Regulation (GDPR) (2016/679) is a unifying update of European Union legislation that applies directly to the processing of all personal data in the EU since May 25, 2018. Prior to that date, privacy law in the E.U. has been governed by the laws of the member states as approved by the E.U. Privacy Directive. (95/46/EC).

You’ve probably heard a lot about the GDPR and that violations of that law can lead to huge fines that can affect even multinational conglomerates, with data processing being applied even when it doesn’t take place in the European Union. Although strict rules on personal data management are not new in the European Union, the GDPR includes significant differences that are driving a radical global change in personal data management practices, products and agreements.

Below, we will talk about the most significant points to take into account.

Sanctions

One of the biggest changes under the GDPR is that organizations that violate the GDPR can be fined up to 4% of the annual revenue or a fine of up to 20 million euros (whichever is greater). This is the maximum fine that can be imposed for the most serious combinations of violations, for example, not having sufficient customer consent to process their data, not having a pre-designed privacy process, or not reporting a data breach. It is important to note that these rules apply to both controllers and processors, which means that “in-the-cloud” processors are not exempt.

Global Reach

Unlike the previous directive, whose territorial applicability was ambiguous and applied to the processing of personal data “in the context of an establishment”, the GDPR applies to all processing of personal data in the European Union (regardless of citizenship). Even when the processing does not take place in the European Union, the GDPR applies to organizations that have “establishments” in the European Union, or that offer goods and services to persons in the European Union. It also applies to behavioral monitoring for companies that have no headquarters or establishments in the European Union but process data from the European Union.

GDPR Consent

Consent to the processing of personal data is required at any time that the organization has not decided and recorded another legal basis for the processing. When requesting consent for data processing, organizations cannot hide behind words with special or complex legal meanings. The consent request must be given in a clear, easily accessible form, and cannot be combined with other matters, such as buried within the “fine print” of another document in fine gray print. It should also be as easy to withdraw consent as it is to grant it. For example, if an application provides an acceptance notification for some form of processing, the mechanism for withdrawing that consent should not be buried in an inaccessible part of the application.

Notification of Non-Compliance

 

Right of Access

Most EU member countries did not previously have mandatory notice of non-compliance requirements, but now, under the GDPR, notice of non-compliance is mandatory in all member countries whenever an infringement may “create a risk to the rights and freedoms of individuals”. The notification must be completed without “undue delay” and “where practicable” within 72 hours of first becoming aware of a breach of the GDPR.

Right To Be Forgotten

The right to deletion of data makes it easier for the data subject to request the controller to have his personal data deleted and possibly to have it stopped by third parties. The data subject may request deletion if he or she has withdrawn consent or if the data is no longer relevant for the purposes for which it was originally collected. “The public interest in the availability of the data” may also be considered by the controller when evaluating such requests.

Data Portability

The data subject has the right to receive personal data in a “commonly used, machine-readable format” and may transfer such data to another data controller. This right only applies when the processing has been based on a person’s consent or for the execution of a contract, and when the processing is automatic and is limited to the personal data that the data subject provided to the controller.

Default Privacy

Privacy by default consists of offering the maximum guarantees of privacy by default in programs or applications and in general products or services that are going to treat personal data, that is to say, in the case of having several privacy configurations, those that offer greater guarantees of privacy to the interested party should be marked by default.

 

The default privacy also implies:

•  Data minimization, that is, the minimum possible data will be collected so that the product or service is possible and can fulfill its purpose.

•  Access control. Only the personnel who really need access to the data for the development of their professional work will have access to such data and of course, they will not be transferred to third parties if this transfer is not necessary, is not mandatory, or is not explicitly informed and consented by the interested party. Pseudo-anonymization techniques can be applied for this purpose.

•  The periods of conservation of the data, must be informed, they will stick to the strictly necessary (extension of the treatment) and only they will be conserved beyond, to attend to possible responsibilities born of the treatment on the basis of the legal periods of conservation.

•  Transparency is understood as the process of informing the interested party about the treatment of their personal data. Clear, concise, and understandable information.

Conclusion

GDPR compliance is likely to require changes in all organizations in Spain and the EU so that many companies ensure that personal data are processed in accordance with GDPR requirements. Such changes may include the redesign of systems that process personal data, the purchase of new systems and/or the renegotiation of contracts with third-party data processors.

Therefore, companies should understand that these changes may require a great deal of time to plan and implement. Otherwise, it could mean that companies are left with new requirements to implement, without sufficient time or resources to do so.