The General Data Protection Regulation (RGPD) replaces the current LOPD. This new Regulation will come into force on May 24th, 2018.
The Regulation introduces new elements, such as the right to be forgotten and the right to portability. Another essential aspect of the Regulation is based on risk analysis, known as active responsibility. Companies must assume measures that ensure that they are prepared to comply with the principles, rights and guarantees established in the Regulations.
Therefore, the Regulation foresees the following new measures:
- Data protection from the first design
- Data protection by default
- Maintenance of a register of treatments
- Carrying out impact evaluations on data protection
- Designation of a data protection delegate, in some cases
- Notification of data security violations to the AEPD, even the affected.
Regarding the points to be highlighted, we establish the following:
1. Consent and information
The Regulation requires that consent must be, in general, free, informed, specific and unequivocal. Consent cannot be inferred from citizens’ silence or lack of action. In general, companies should review their privacy notices to incorporate the requirements of the Regulation.
2. Impact evaluations on data protection
The Regulation supposes a wider commitment of organizations, public or private, with the protection of data such as impact evaluation and consultation with supervisory authorities. Therefore, it is necessary that all organizations that treat data carry out a risk analysis of their data treatments to determine what measures should be applied and how to do so.
Conducting impact evaluations on data protection, mandatory in some treatments, is previous to the implementation of such. The goal is to reduce or eliminate the risks that a given data processing can pose to those interested.
3. Delegates of data protection
The Regulation requires that Data Protection delegates (DPO) must be appointed based on their professional qualifications, especially their knowledge of data protection and their ability to perform functions.
They will be mandatory only in some cases.
4. Relationship between responsible and responsible for the treatment
The Regulation describes a minimum content for the contracts of processing orders that exceeds the provisions of the current LOPD and that must be redrafted.
We will be delighted to assist you regarding the implementation of such new obligations. Contact us for an audit review with no cost that will allow you to know whether you are GDPR compliant.
Written by: Esperanza Jordà.- Lawyer specialized in Data Protection and Information Technology. You can find her Linkedin here.