The establishment of the General Data Protection Regulation or GDPR revolutionized the ecosystem of companies and institutions of the European Union last year.
Every time we browse a website, we hire a service or we, simply, make a reservation at a restaurant or buy movie tickets, the correspondent organizations obtain our personal data in order to offer us a more personalized service, more appropriate to our needs. However, as in other cases, everything that glitters is not gold, because at the same time as the above is a real breakthrough, it is also a nonsense if our data and those of thousands of others circulate without control.
To protect European citizens and their personal data, and in response to a general lack of trust, the European Union launched in April 2016 the EU Regulation 2016/679 of the European Parliament and the Council, with a set of rules that are mandatory since last year’s May 25th. It is a unique law that regulates the processing of personal data and information (name, address, location, health information, income, religion…) by business entities in the set of territories that configure the European Union.
Thanks to the GDPR, users must give their express consent for the processing of their personal data.
Keys to compliance with the GDPR
Although, as we expressed above, the GDPR is mandatory for small, medium and large companies, without exception, nowadays there are organizations that do not apply the requirements set by this new European regulation.
Therefore, in order to guarantee the personal data protection, it is essential to take into account the following:
- Be clear about the data we are going to collect, who will be the owner, what they will be used for and for how long. And inform the user about all.
- Enable a consent section, which the users can mark if they want to share their personal information. As well as a specific section whereby the user can allow or deny the sending of informative and commercial communications by the company.
- Design a Data Protection Delegate (DPD) (not all companies require it).
- Sign a confidentiality contract with employees and collaborators.
- Have a record of the activity of the processing of personal data.
- Analyze the risks and generate notifications and/or urgent notices in case there is an attempt against security or a data breach. In addition, we must carry out an impact assessment to know how this situation can affect users (for example, in minors, health information, etc.)
- Specify the legal texts -legal notice, cookie policy and privacy policy- on the website.
- Guarantee user’s rights over their data: access, rectification, cancellation, opposition, forgetfulness and portability.
What is the cost for breach of the regulations of the current GDPR?
In case of not complying with the current GDPR, the corresponding authority of each country, on behalf of the European Union, will warn the company, first of all, to proceed to change the way in which it collects the information and informs its users. They can also put a warning and, if the issue is not solved, proceed to the suspension of your data processing and put a fine that, in the most extreme cases, can reach up to 20 million euros or 4% of turnover general annual. In addition, the user can request compensation from the company, something that was not contemplated in other previous regulations.
And from ISEA, what do we recommend? Without a doubt, first of all, that you are well advised. Trust in professionals and catch up on data protection, not only by obligation, but by responsibility and respect.