Four letters made up the acronym for what was, until recently, one of the most ever-present and influential laws that existed for companies or public bodies in Spain. In 2016, the Organic Law on Data Protection (referred to as the LOPD in Spanish), handed over its prominent role to a new four-letter acronym, the GDPR (or RGPD in Spanish), which stands for the European General Data Protection Regulation. After four years spent on developing it in the European Commission, the new Regulation finally came into force last year when it replaced Directive 95/46/EC.
Organisations now have until 25 May 2018 (the law's enforceable date) to establish the preventative structures and guarantee compliance with stricter standards for securing and protecting the personal information of EU citizens.
The Regulation is directly applicable and unifies the requirements of the different Member States as a whole. However, the Member States do have a certain degree of flexibility when implementing the multiple references to national legislation, such as the development and application of the penalty regime. In this regard, the maximum amount for fines has risen significantly; from the current maximum of EUR 600,000 to one of the following two amounts, EUR 20 million or 4% of the entity's annual turnover, whichever is higher.
The countdown has begun: public entities and companies in all sectors, particularly those that process a significant amount of personal data, work with the Administration, or manage sensitive information, must start getting prepared to comply with the requirements of this new regulation, some of which we list below.
This ambitious regulation poses important challenges: there are more requirements, higher penalties, and the scope of its application and the regulatory harmonization is more extensive.
- One of the new and most outstanding features, and whose impact will require follow up and attention, is the increased territory to which it will apply. The increased territorial scope of the new regulation will cover a wider range of citizens than the LOPD covered. Henceforth, those companies that market goods and services that involve information regarding EU citizens will be subject to the Regulation's requirements, regardless of whether the companies are located outside EU countries. Organisations are required to designate an EU representative that will be in direct contact with both the Supervisory Authorities as well as the data subjects themselves who are interested in how their data is managed.
- Active responsibility becomes a key concept behind a series of requirements established for companies. In addition to companies acting after violations have been committed, the Regulation also requires that companies take important preventative measures beforehand, starting with system design, to ensure they are proactive in complying with the rights and guarantees that the Regulation establishes. Organisations must notify the Supervisory Authority regarding a security violation; they may even be forced to report against themselves. Furthermore, organisations that process certain types of information or large quantities of data are obliged to appoint a Data Protection Officer (DPO) who shall be responsible for tasks such as planning, performing and controlling the measures meant to comply with the Regulation. In any case, bearing in mind the principle of active responsibility that the Regulation establishes, although the appointment of an DPO is not compulsory, it can be interpreted as a mechanism for proving the company is diligent. Companies must define the specific role or position that will perform these duties within its organisation, avoiding potential conflicts of interest. In this regard, some interesting precedent has already arisen, such as that produced by a recent judgment of the German courts where they deemed that the IT Manager of a company should not act as the DPO, because it would imply a conflict of interests and produce the paradoxical situation where the individual concerned would be supervising him/herself. On the other hand, marketing, finance or human resource managers would not be ideal for this position either, as they are normally the ones that decide within the company how the files linked to their business will be used and for what purposes.
- Companies must carry out risk analysis and data-protection impact assessments. The European Commission argues that the Regulation does not increase workload for organisations but simply introduces a new paradigm for security and work procedures. One example of this is the obligatory nature of offering the data subjects (in the privacy warnings) information regarding the data processing regulation, the term for holding data, and the actions the data subject can take before the Supervisory Authority. In many cases, the preventative measures required are merely the formalization of a legal text stating practices that are already quite standard in companies, or which will be applied to promote the required privacy by design or by default. Such GDPR concepts highlight the importance of minimising the amount of data that is actually necessary to gather and of protecting privacy from the very start of any new process, product, service or application.
- The Regulation establishes new rights that allow citizens to control their personal information; such as the data portability right, which will allow data subjects to transfer all their personal information from one organization to another in an easier or more flexible manner; or the right to be forgotten (or "right to erasure"), which implies the right of a data subject to totally eliminate their personal data and drew inspiration from the judgment issued by the CJEU on 13 May 2014, ruling that personal information may be erased from search engines when such information is not of public interest or significant, or when it is untrue or obsolete, etc.
- From now on regulations are stricter with regard to the conditions for obtaining valid consent. A declaration will be required (or a clearly affirmative action/choice) and mere silence, inactivity or predefined forms will not be enough to deem consent has been granted. Furthermore, individuals must be properly informed regarding their right to withdraw consent.
- The so-called 'one-stop-shop mechanism' establishes the designation of one sole data-protection authority in each Member State, so that the interaction with the regulator is centralised, even when the processing involves data regarding citizens from various countries because protocols for cross-border collaboration amongst authorities is also established. The European Committee on Data Protection will be a resource for resolving disputes at a higher level. Said Committee will be made up of the directors from the different national data-protection authorities and its decisions will be binding.
Organisations that process personal data must act prior to the Regulation's implementation in May 2018 and begin studying the implementation of certain preventative measures, data management registers, data-protection impact assessments and risk analysis, with regard to their data processing.
Doing so will allow them to identify any difficulties or errors now, when the measures are still not compulsory, with the aim of more effectively performing their preventative and supervisory duties in the future.