DATA PROTECTION
On 25 May 2018, the European Data Protection Regulation (EU) 2016/679 (GDPR) began to be directly applicable throughout the territory of the European Union.
In December 2018 was published in Spain the Organic Law 3/2018 of Protection of Personal Data and Guarantee of Digital Rights, completing the new regulatory framework initiated by the RGPD.
– The new rules have introduced important innovations…
Highlighting the principle of privacy from the design and by default and related to the principle of proactive liability, which bind companies, and organizations to consider data protection from the very design of a project that will involve the processing of information with personal data and to be more diligent in showing that it complies with the law and that is effectively guaranteed the security associated with the processing and storage of registered personal data, which in practice implies that all companies and professionals have to review and adapt their data protection compliance protocols and must have review and oversight mechanisms that allow them to be aligned at all times in a compliance dynamics.
BEING PROACTIVE MEANS WORKING ON PREVENTION TO PREVENT THE PROBLEM FROM OCCURRING
– The new features include…
The obligation to draw up in certain cases an internal register on the processing activities carried out, the strengthening of the duty to inform data subjects, the need to comply more strictly with the principles relating to the processing of data, the strengthening of data subjects’ rights with regard to data concerning them, the need for a legal basis to legitimise the processing of personal data to always be available, the importance of conducting regular verification and monitoring processes as evidence of diligent compliance, the obligation to notify data subjects and the supervisory authority of security breaches in certain cases as part of the management process itself and the obligation to choose the right providers if we are to transfer data to third parties.
QUESTIONS TO BE ASKED
What data are we collecting? Are these basic data or do we also collect sensitive data? Are unnecessary data being collected?
What should we consider if we have a website or an online store? What legal texts should we include on the web? How should we inform users who enter our website?
Where and how do we store the data? Do we have the appropriate storage media? Do we have an adequate backup protocol? Would business continuity be compromised if we suffer a serious incident?
What measures should we take? Is it necessary to carry out an analysis of the risks associated with the data processing we carry out? Are we required to carry out an impact assessment?
What should we do if we have staff? What should we tell them? What documents should they sign?
What procedures need to be implemented? Do we need to document compliance protocols? What internal dissemination should we give to these procedures?
What should we consider with suppliers? Do we have suppliers to whom we communicate customer data? Do we outsource services involving data transfer? Should we evaluate suppliers? What kind of documents should we formalize with suppliers?
How are we collecting data? Are paper forms and documents used? Is a digital record made?