Introduction to GDPR
The legal framework for data protection is about to undergo an important transformation at the European level, with the application of the new General Data Protection Regulation (GDPR). After 4 years of meetings, deliberations and negotiations, the Member States of the European Union approved a regulation that reinforces the rights of individuals regarding their personal data and increases the responsibility of those in charge of its management and treatment, among them, of course, many of the companies in the circuit.
The GSPR actually came into force on May 25, 2016, although the date on which it will begin to be applied is May 25, 2018. The so-called GDPR is a community extension of certain measures that each country applied internally before 2016. At the same time, the new Organic Law on Data Protection is being processed in the National Congress, which will replace the 1999 law that had been applied to date, in order to adapt it to European regulations.
This new regulation will be mandatory for all companies that deal with personal data of clients, whether for internal or external use, that is why it is important to take it into account when we base the management of our company on the use of the data we obtain from our clients.
What is GDPR?
The GDPR is a European standard that affects any entity (company, self-employed and others) that performs data processing within the European Union.
The European Regulation on Data Protection (GDPR) is a document aimed both at citizens of the European Union and at companies or third parties that are in charge of managing them. It is based on principles such as transparency and accessibility, and highlights the responsibility and management of personal information as its main duty. So, it is important to note that even if the company is not European, if it offers services at the EU level, it must also comply with the GDPR. It also includes the Public Administrations, associations, communities of owners, etc.
In this sense, it provides definitions of essential practices, such as the limitation of data processing, pseudonymization, profiling, security violation, generic and biometric data and the control authority, as well as company figures , representatives and business group. In general, we can say that the new regulation implies a reinforced protection of personal data, granting greater control to the user over the type of use that can be made of them.
Therefore, the new GDPR entail, among other aspects, the following:
- Data minimization and purpose limitation: only the data strictly necessary for the intended purpose should be collected.
- User consent must be express, free, informed, specific and unequivocal. The possibility of tacit consent is eliminated.
- Improved information to the user, with clear and concise texts.
- Right to be forgotten. Users may request that personal data be deleted in three cases: when they are no longer necessary for the purpose for which they were collected, when consent has been revoked or when they have been obtained illegally.
- Right to portability. The interested party may request that their data be transmitted to another person in charge, or that they be delivered to them in electronic format.
Which are the main obligations?
These user rights translate into the following obligations for companies:
Always obtain the express consent of the user for data processing, having informed him/her of the following aspects:
- Who is responsible for data management.
- Who are the recipients of the data (both the company itself and third parties that provide services).
- The very fact that your data is being collected, to what extent it will be processed and the consequences of not providing it.
- For what purposes the data is collected and what is the legal basis for its treatment.
- Period during which the data will be kept or the criteria to determine it.
- Your right of access, rectification, deletion, limitation or opposition to treatment, as well as the new right to portability.
Registration of treatment activities.
It is no longer necessary to register the files with the AEPD. However, it will be mandatory to maintain an internal record of all the processing of personal data carried out by the entity, provided that it has more than 250 employees or if it processes sensitive data (such as those related to health, political opinions, affiliation religious, biometric data, etc.).
Obligation to notify security violations
In the event of security violations that may affect stored personal data, the Spanish Data Protection Agency must be notified within a maximum period of 72 hours. If, in addition, this attack could have affected data of a sensitive nature and with great repercussion on users, they must also be notified.
Companies must analyze the risks of treatment and try to prevent them. An important measure in this regard are impact assessments, which are mandatory for the treatment of high-risk data.
Data Protection Delegate
The figure of the Data Protection Delegate is created, although it will not be mandatory in all companies.
Which are the sanctions?
The field of data protection has always been characterized by the high financial penalties that were foreseen for cases of non-compliance. Its purpose is clearly dissuasive, to promote the widest possible compliance with legal requirements. With the new legislation, these provisions are also reinforced. Thus, compared to the range of sanctions in the previous law (between € 900 and € 600,000), the new law provides the following maximum sanctions:
- Between 10 and 20 million euros.
- Between 2% and 4% of the company’s turnover-
However, in addition to economic sanctions, the new GDPR provides for three additional measures, from minor to major importance:
- Suspension of data processing.
As is the current case, the competent authority for the imposition of sanctions will be the Spanish Data Protection Agency (AEPD). Another very important novelty of the GDPR is the possibility that the injured party can request compensation, something that the previous organic data protection law did not contemplate.
Are companies prepared?
It is easy to assume that many freelancers and SMEs, either due to lack of resources, or due to lack of information or simple neglect, are not prepared to face the new obligations of the data protection law. Perhaps, in many cases, they would not be fully complying with the requirements of the previous legal framework either.
On the other hand, one might think that large companies would be perfectly ready to work with the new GDPR. However, the reality is very different. In fact, a recent study indicates that only 10% of large Spanish companies were prepared to take on the new legal framework on data protection. The European average, a little better, is still meager: just 20%. According to the same study, the reasons given by the companies for not being up-to-date would be the following:
- Lack of specialized personnel (49%).
- Lack of budget (46%).
- Lack of knowledge (42%).
How can they get prepared?
In the first place, it is necessary to be aware of the importance of this legal reform, not only because of the possible sanctions, but also because of the image of the company itself. In this sense, in a context such as the current one, where users are increasingly aware of the importance of their privacy, companies with a good data protection policy can be perceived more positively. The next step will depend, to a large extent, on the capacity and size of the company, as well as the type of treatment they carry out.
In this way, some companies may choose to carry out internal management of the adaptation of data protection, having to make an effort to train existing staff or choose to incorporate new employees.
Other companies, on the other hand, might prefer to contract with an external company to adapt to the new data protection regulation. There are many law firms that currently offer specific services in this regard. In any case, in both cases the company will require a training effort, since, even if the adaptation is outsourced, there are aspects that must be managed internally.
Adaptation to the GDPR in Call Centers
For Call Centers, data processing is inherent to their daily activity. Your work cannot be understood without them. Therefore, compliance with the new organic data protection law and the RGPD will be a priority issue. According to the new legal framework, some of the essential steps to carry out this adaptation would be the following:
- Verify that all legal requirements regarding information and consent are met, as indicated above. If not, make the appropriate adaptations.
- In particular, Call Centers must justify the reasons for which calls are recorded, if any.
- Determine the type of data that the Call Center deals with. The new GDPR establishes a reinforced protection in cases of sensitive data (health, race, sexual orientation, religion or political ideology). In these cases, we must meet additional obligations.
- Prepare the Security Document (where everything related to the processing activities carried out by the Call Center is summarized) and appoint a File Manager.
- Guarantee an efficient procedure for accessing your data by the user. This will include, in addition to the ARCO rights, the new rights to be forgotten and portability.
- Establish an internal record of data processing, if the company has more than 250 employees or processes sensitive data.
- Determine if the Call Center needs to implement the figure of the Data Protection Delegate.
These are just some of the essential steps that any Call Center should take to ensure it is complying with the GDPR. However, we cannot deal here with all the details involved in adapting to the new legal framework. That is why it is advisable to have specialized advice or go to the Spanish Data Protection Agency to resolve any questions in this matter.
Key aspects of GDPR
In short, and as a summary of the data protection law, we can point out the following as key aspects of this reform:
- The launch of the new RGPD, for all purposes, is on May 25, 2018.
- The new regulations promote transparency as an inspiring principle in the treatment of personal data.
- User control over the use made of their data is strengthened.
- The information provided to you must be complete and understandable.
- The consent must be free, unequivocal and express, and can be later withdrawn.
- A distinction is made between ordinary data and sensitive data, with different levels of protection.
- Companies will adopt a preventive attitude in handling data and will report security breaches.
- The system of warnings and sanctions for cases of non-compliance is reinforced.
Recommendations for the implementation of the GDPR
Once the main data protection developments are known, it is good to mention some final recommendations of a more general nature. In this sense, it would be interesting to adopt a change of perspective regarding this regulation. Thus, instead of seeing it as a new legal burden or an added cost, we can approach it as an opportunity for the company. In this way, in a context where information is increasingly valuable, those companies that take the initiative to stand out for their exquisite handling of personal data could enjoy a competitive advantage over others.
Users are becoming aware of the true value of their data and will be increasingly cautious when giving it away. Therefore, in the face of any dilemma, they will end up giving preference to those entities that are more respectful in this area. Therefore, more than the fear of a sanction, it should be the respect for our clients and the improvement of our competitiveness that moves us to comply with the new GDPR.
Opinions of key actors in the business sector
EAE – Escuela de Administración de Empresas
“The publication of the RGPD, which took place on May 4, 2016 in the Official Journal of the European Union, is a step forward to guarantee the right of all people in the community to know what happens with the data they provide to thirds.
In times when the volume of information is increasing and its sources are of diverse nature, it is convenient to establish standards for the proper use of data related to the identity of citizens.
The appearance of the GDPR also coincides with the consolidation of a trend according to which the processing of data in general, and particularly personal data, is outlined as a long-term area of work for companies and individuals, who will have to frame this activity on principles such as loyalty, security and transparency. ”