What does the new European General Data Protection Regulation entail? #GDPR

The new regulation expands user rights and entity obligations

The new European General Data Protection Regulation (GDPR), which will define new obligations that businesses must comply with, will enter into force on May 25, 2018. The aim is to give citizens more control over their personal information in this digital age (smart cities, big data, social media, geolocations through devices, etc.) while reducing administrative burdens and facilitating the application on behalf of European companies.

The GDPR modifies certain aspects of the existing system (LOPD) and contains new obligations that must be analyzed and applied by each entity in accordance with their specific circumstances. Companies that do not adapt accordingly on time will face fines of up to €20 million or 4% of their turnover. Gartner calculates that over 50% of entities will not be ready to comply with the regulation by the proposed date.

Some of the key aspects of the new regulation, extracted from the Spanish Data Protection Agency’s GDPR Guide, are:

Consent must be “unequivocal”

Methods of consent that are tacit or by default are not accepted since they are based on inaction. In other words, interested parties must state their consent or confirm it by means of a clear action (e.g., when an interested party continues to navigate through a website and therefore accepts the use of cookies to monitor their browsing).

Consent must be unequivocal and also explicit in the following instances:

• When sensitive data is handled.

• When automated decisions are made.

• International transfers.

Information must be conveyed to the interested parties in a clear and simple manner

Informative clauses must explain the content they specifically refer to in a way that is clear and accessible for the interested parties, regardless of their knowledge about the matter. This must be done in writing—including electronic formats—when the data is obtained (directly or indirectly), if the purpose is modified or if the data is transferred to third parties.

There is also an exhaustive list of the information that should be provided to interested parties:

• Legal basis of how the information is handled.

• Intention to carry out international transfers.

• Details of the data protection representative (supervisor and advisor of the company’s data protection matters, with no legal liability), if applicable.

New rights

In addition to the traditional ARCO aspects, it includes new rights and defines specific conditions regarding the procedure to be followed for individuals interested in exercising their rights:

• The procedures and methods for this must be visible, accessible, and simple.

• Interested parties should be able to exercise their rights for free, except in the case of requests that are clearly unfounded or excessive.

• It acknowledges the right to obtain a copy of the information and access it at any time in a detailed, structured and commonly used format that can be read electronically.

Relationships between the supervisor and the person responsible

The supervisor is the individual or legal entity, public authority, service or other body that determines the aims and methods for processing the data and who guarantees compliance with the regulation on behalf of the person responsible for handling personal data. The relationship between the supervisor and the person responsible must be formalized with a contract or legal document.

The supervisor must keep a record of processing activities, determine the security measures and appoint a data protection representative when necessary.

New role: data protection representative

This person is responsible for the company’s data protection matters and serves as an advisor in this area, with no legal liability. This person must facilitate compliance with the regulation, the implementation of accountability tools, and act as an intermediary between the interested parties (authorities, business units within the company, etc.).

The appointment of a representative is mandatory for authorities, public bodies and supervisors responsible for this matter that must regularly and systematically process and monitor interested parties on a large scale.

Security measures

Supervisors must assess the risk of their processes in order to establish the measures to be applied along with the corresponding methodology. If the Data Protection Impact Assessment (DPIA) has identified a high level of risk that, in the eyes of the individual responsible for the process, cannot be mitigated by means of reasonable methods in terms of the available technology and application costs, the supervisor must consult the corresponding data protection authority.

Registering the processing activities

Entities with 250 or more employees must keep a record of the processing operations that take place. These records must contain the information established by the GDPR and include items such as:

• Name and contact information of the supervisor or co-supervisor and of the data protection representative, if applicable.

• Purpose of the processing.

• Description of the interested party categories and categories of the personal information that is processed.

• International data transfers.

Notification of “data security violations”

The destruction, loss, accidental or unlawful alteration, unauthorized access or transfer of personal data must be documented and the corresponding authorities must be notified. The interested parties must also be informed if there is a significant risk to their rights or liberties.

International transfers

Personal data may only be transferred outside of the European Economic Area to countries, regions or specific industries for which the Commission has made a decision confirming that they offer an appropriate level of protection or in the case of exceptions.

Code of conduct

A certification of compliance with the code of conduct is defined and then granted by the data protection agency or official certification entities. The certifications will be voluntary and will remain valid for a period of three years.

General assessment

In light of the growing use of data in the digital economy on which new business models are based, the GDPR is a necessary update that adapts existing regulations and guarantees the rights of citizens.

The regulation also raises doubts as to the interpretation of terms such as “appropriate or provided measures”, “sufficient guarantees”, and “reasonable expectations” that should be further clarified. However, entities should begin modifying some of the aspects of the existing system and also analyze and apply the new obligations in order to meet the deadline.