The General Data Protection Regulation
With the GDPR coming into force on 25th May, we thought it was a good time let our clients and the wider community know about the main changes that the regulation will bring.
What are the main changes resulting from the GDPR?
- The scope of the law’s application affects all websites of companies established in the European Union that process personal data. It also affects websites of companies not established in EU territory that offer of goods and services to residents of the European Union.
- It affects all kinds of data that can identify a person, even indirectly: names, emails, age, ID, financial information, cookies, physical, psychological, genetic, mental, economic, cultural, social identity and IP address.
- There has been a hardening of the requirements for obtaining consent from individuals when this is necessary for processing their data. In addition, the aforementioned consent may be revoked at any time by the interested party.
- Companies have to report security breaches within a maximum of 72 hours to data protection authorities and also, sometimes, to those affected.
- A copy of your personal information must be delivered to you in electronic format when you request it.
- The principle of data minimization requires that companies:
• Retain and process only the data absolutely necessary for the purpose for which they are used
• Limit access to personal data to those who need it for the fulfillment of their role.
- Sanctions have increased: under the new regulation, fines can reach up to 4% of the company’s annual turnover.
To expand our knowledge, we have turned to Luis Mª Latasa Vassallo and Miguel Valdés Borruey, lawyers at EJASO, our trusted legal firm, who are experts in both Information Technology and Intellectual Property Law. This is what they said in answer to our questions:
What effects to you think the new regulation will have?
The new regulation affects all companies and, in our opinion, will mean a radical change in the management of compliance with data protection regulations.
In the first place, this is due to the principle of active responsibility established in the GDPR, which implies that companies assume a proactive role in such compliance. In this way, before initiating any processing of personal data, measures must be taken to ensure that they comply with the GDPR, and to be able to demonstrate that.
Subsequently, companies must continuously monitor compliance with the Regulation both within their organization, as well as by external providers that could become involved in handling the data.
Secondly, the consequences of breaching this regulation increase exponentially given the severity of the sanctions. That makes the GPDR a priority in terms of compliance and risk management for the companies affected.
There’s some nervousness about this issue. What do you recommend doing in preparation for GDPR coming into force?
The best way to prepare for the GDPR is to carry out a project of adaptation to the Regulation. This must begin with a risk analysis to determine, based on the type of personal data processing being carried out, the legal, technical and organizational measures that the company must implement.
Is it going to be such a big change?
The GDPR will mean a change for all companies, especially for those that had not adapted to the previous regulations. The greatest impact will occur in large companies, in companies whose clients are consumers, and in those that handle sensitive data, such as health, personal profiles, monitoring user activities on the internet, geolocation, behavioral advertising, etc. These activities may now entail additional obligations, such as the creation of a register of data processing activities, the appointment of a Data Protection Officer (DPO), or the need to conduct privacy impact assessments.
In Interactiv4 we want to help you with the changes brought about by the GDPR coming into force.
Besides informing you on our blog, we are organizing a informational session. We’ll have more information about that soon!