General Data
Protection Regulation
What is the RGPD?
The General Data Protection Regulation (GDPR) is the new legislation that will govern the processing of personal data in Europe and which replaces national statutes such as the Spanish Data Protection Organic Law (LOPD in its Spanish initials). The intention of the GDPR is that data protection be applied in a uniform manner in all EU Member States, while attempting to adapt the law to technological advances. Although it came into force on 25 May 2016, its application will be effective and obligatory from 25 May 2018.
The GDPR involves a complete change of focus, a switch from a model based on the drafting of security clauses and documents to one where the key word is accountability, which goes beyond mere compliance with the law. In addition, companies have to create procedures to comply with their obligations and be able to show how these are applied in practice.
Personal Data
Data Processing
The principles on which the Regulation is based are very similar to those contained in the LOPD. However, they include very significant modifications and new features, of which the following are worthy of note:
- The service providers who process personal data for third parties take on much greater responsibilities. As data processors, their greatest challenge will be to inspire confidence in their clients of their ability to comply with the legislation.
- Privacy policies can no longer be accepted globally through the typical “I’ve read and accept the terms” checkbox. Users must be able to choose the purposes for which they agree to the processing of their data and for those which they don’t.
- The concept of personal data is broadened, covering the “unique identifiers” used in digital marketing to be aware of the behaviour of users and provide them with customised content and advertising.
- New rights are created (such as “data portability” and the “right to be forgotten”) which oblige companies to carry out risk analyses with respect to their activities… and those companies with more than 250 employees or which carry out mass data processing must appoint a data protection officer.
Obligations contained in the GDPR
The GDPR contains 99 Articles and is therefore very difficult to summarise in a few lines. Essentially, however, the main points can be boiled down as follows:
- To be able to process personal data, there must be a rule that allows this, except where we have obtained the data subject’s consent.
- The data subject must be provided with detailed information regarding the processing of personal data, worded in a concise, simple and easily accessible manner.
- The above information is conditional upon the subsequent uses of the data: for example, it would be illegal to use them for purposes that we have not adequately explained to the data subject.
- The data subject’s rights must be respected. These rights range from knowing which data we are processing, to the erasure of that information.
- Information systems must be designed bearing in mind the obligations foreseen in the GDPR, to facilitate compliance with the rule by the users and guarantee the security of personal data.
- In some cases, companies must appoint a “data protection officer”.
The GDPR is limited to the processing of natural persons’ personal data. It does not affect the information concerning legal entities (companies) although it does affect the data of their employees or executives.
Personal data means all information relating to a natural person whose identity can be determined, directly or indirectly (the “data subject”). All such data, however innocent it may appear to us, deserves protection, and extra care is required when we process “special categories of personal data” (“sensitive data”). Sensitive data means information that reveals ethnic or racial origin, political opinions, religious or philosophical convictions, or trade union membership, as well as genetic data, biometric data aimed at unequivocally identifying somebody, those concerning health or an individual’s sexual life or orientation.
Data processing means any operation or series of operations performed on personal data or on sets of personal data, whether or not for automated procedures (collection, organization, consultation, use, storage, alteration, destruction etc). Merely storing data on a computer is deemed to be processing.
The companies affected by the Regulation are those that process personal data and which are either domiciled in the European Union or whose services are aimed at EU citizens. The Regulation divides them into two categories, depending on the role that they carry out:
- Data controllers, when they are capable of taking decisions regarding which data will be processed, for which purposes and with which resources.
- Data processors, when they simply process data on behalf of a third party (the controller), for example to provide it with a service.
Principles contained in the GDPR
Ⓒ 2018 | All rights reserved