There are still a few months until the new General Data Protection Regulation (GDPR), which came into force in May 2016, is applicable. As of May 25, controllers and treatment processors must have implemented the necessary measures to comply with the new data protection regulation.
It is direct application regulation that does not require to be transposed into national legislation.
Although many concepts of the old 95/46/CE Directive are maintained in the GDPR, new obligations which each controller must comply with are stablished.
The principle of Accountability should be highlighted as one of the most important elements introduced by the Regulation.
This principle requires a conscious, diligent and proactive attitude from those who are responsible for all the personal data processing that has been carried out. They must apply appropriate technical and organizational measures to guarantee and demonstrate to the stakeholders and the supervisory authorities that the treatment is in accordance with the Regulation.
Therefore, companies must take into account the following aspects:
– Transparency and Information to the intended audience: The information provided to the intended audience in relation to the treatments conditions that affect them and in response to the exercise of their rights, must be concise, transparent, intelligible and easily accessible, with a clear and plain language. So far, we only had the obligation to expressly, precisely and unequivocally provide this type of information.
When the data is obtained from another source, controllers must inform within a reasonable time period, i.e.; always within a maximum period of one month from the moment when the data was obtained, before or at the first communication to the stakeholder, or before the data has been communicated to other recipients.
– Data protection impact assessments (DPIAs): The Regulation foresees certain measures to be applied only when the treatment implies a high risk for the rights and freedoms. In other cases, measures must be configured according to the level and type of the treatment risk.
In order to comply with this obligation, responsible companies must make an impact assessment to know the measures to choose and how to apply them. The measures will be adjusted according to the type of treatment, the nature of the data, the number of affected people and the number and variety of applied treatments.
Each processor must analyze the risk of the treatments in order to adapt the measures and to meet the GDPR.
Furthermore, it will be necessary to differentiate between the analysis of large and small size organizations and less complex treatments. The former must use existing impact assessment methods while the latter may perform a simpler analysis.
– Data subject’s consent must be unequivocally, understood as a subject expression or through an affirmative action. The new GDPR does not allow tacit consent.
Those consents obtained prior to the GDPR will be legitimate if the consent was given according to the new guidelines.
– Records of processing activities: Each controller shall maintain a record of processing activities under its responsibility except in case of an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
– Data protection by design and by default: The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, on the one hand, implement appropriate technical and organizational measures in order to meet the requirements of this Regulation and protect the rights of data subjects (Protection by design), and, on the other, the controller shall implement appropriate measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed (Protection by default).
– Notification of a personal data breach to the supervisory authority: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent.
In the event that said bankruptcy entails a high risk for the rights and freedoms of those affected, in addition to notifying the competent authority, it must notify those affected so that they can take measures to deal with the consequences.
– Data protection officer (DPO): GDPR establishes a guarantor to monitor compliance with this Regulation with the policies of the controller or processor in relation to the protection of personal data.
This figure will be mandatory for authorities and public bodies, controllers or processors who have among their main activities the treatment operations that require a systematic observation of large-scale stakeholders, special categories of personal data large-scale treatment or criminal convictions and offenses data.
At SCHILLER Abogados we offer our support and advice to implement and meet the requirements established by the new General Data Protection Regulation. We will help you to review and adapt the privacy notices, as well as other requirements and obligations imposed by the new regulation.