The data protection law that will begin to apply this year 2018 marks a turning point regarding all the processes of collection and protection of personal data. The main objective of this new legislative framework is to give the user more control over the use that may be made of their data.
In this way, aspects such as obtaining express consent, the right to be forgotten, data portability, etc. return to the user their full decision-making and control capacity in these situations.
A new legal framework
On May 25, 2016, the General Data Protection Regulation (GDPR) was implemented, which will replace the current regulations and which will begin to apply on May 25, 2018. This regulation establishes data protection rules that will be common for all countries of the European Union.
In the Spanish case, we will also have the new Organic Law on Data Protection that will collect this new legal framework that replaces the one established by the Organic Law on Protection of Personal Data of 1999.
Which companies must follow the new data protection law?
The law affects any company or self-employed person that processes personal data and is located in the European Union or offers services within the EU, even if the company is outside the EU.
Therefore, regardless of the size of the company, whenever personal data is collected from EU citizens, the requirements established by law must be met.
Sanctions for breaking the data protection law
As you know, the financial penalties for non-compliance with these regulations are very high. Thus, depending on the severity of the offense, fines can be between 10 – 20 million euros or between 2% and 4% of the company’s turnover.
This type of sanctions, like all those already applied by the Spanish Data Protection Agency (AEPD), have a clearly dissuasive purpose. Therefore, it is worth dedicating a little effort to adapt our businesses to the new legal requirements.
Main features of the new personal data protection law
- Only the strictly necessary data for the intended purpose should be collected.
- Reinforcement of consent. The possibility of tacit consent is eliminated, so that now consent must be express, free, informed, specific and unequivocal. Therefore, there shouldn’t be doubt that the user knows perfectly what data is going to be collected and for what purpose, expressly accepting its transfer and treatment. Consequently, many websites will be forced to adapt forms, pop-ups, etc. to allow the user to expressly indicate her consent.
- Improvement of information to the user. Information must be presented in layers, which allows the user to know in detail everything related to the processing of their data. In addition, as an aspect that is expressly included in the new regulations, the obligation for the information to be clear and concise to facilitate its understanding stands out. Finally, the legal basis for data processing and the time for which it will be stored must be specified.
- Right to be forgotten. Users may request that personal data be deleted in three cases: when they are no longer necessary for the purpose for which they were collected, when consent has been revoked or when they have been obtained illegally.
- Right of portability. The interested party may require the data controller to transmit the data that he/she has provided to another controller. Alternatively, he/she may also request that said data be delivered to him/her in electronic format.
- Obligation to report security breaches. In the event of security violations that may affect the personal data stored, the AEPD must be notified within a maximum period of 72 hours. If, in addition, this attack may have affected data of a sensitive nature and with great repercussion on users, they must also be notified.
- Record of files and treatment activities. The new regulation eliminates the obligation to register the files with the AEPD. However, it will be mandatory to maintain an internal record of all the processing of personal data carried out by the entity, provided that it has more than 250 employees or if it processes sensitive data (such as those related to health, political opinions, affiliation religious, biometric data, etc.).
Conclusion
Ultimately, the new personal data protection law represents a change in the approach related to the collection and processing of this type of data. Thus, the protagonism and control capacity is returned to the users, in a general framework of absolute transparency. The user of a website will be able to know at any time what data is being collected and for what purpose, having to give express consent for its treatment.
Therefore, with the new legal framework, incomplete information, tacit consents or confusing explanations will no longer be possible.
In any case, what could be seen only as a new set of obligations for companies, is also an opportunity to carry out a more responsible, conscientious and efficient data processing. And, in addition, get more satisfied customers with our work.
Do you want a software for call center prepared for the changes in the new Data Protection Law? Wait no more and discover how our software EVOLUTION can help you:
