The new European Data Protection Regulation (GDPR) requires organisations to ensure the security of personal data, applying the measures necessary to avoid any damage, assuming proactive responsibility and being answerable for all damage suffered by such data. To this end, it is important to understand the following points, as they will help us to implement the necessary changes in our organisation.
9 keys to understanding how the new General Data Protection Regulation works
1. The duty of information and responsibility for processing
These are two of the most important modifications. Data controllers can obtain certification under the schemes envisaged by the GDPR to demonstrate that they are able to offer the guarantees required by the regulations.
- The clauses: As a new development, information must be provided on the legal basis of processing, the data protection officer, if there is one, the organisation’s intention to transfer data internationally, and the creation of profiles. The identification of the data controller and the rights of data subjects are as in the previous regulations.
- Contracts: The content of contracts is extended and they must now include attention to the rights of data subjects, a confidentiality commitment signed by the data controller’s personnel, and the data processor’s duty to cooperate with the data controller more extensively than required by the old LOPD.
2. Proactive responsibility, privacy in design and by default
The data controller and data processor are obliged to prevent damage and to demonstrate that the company complies with the regulations. To achieve this, privacy must be measured from two points of view:
- Privacy by design: all data processing systems must comply with the GDPR from the earliest stages of a project until it is completed.
- Privacy by default: data processing systems must be configured as restrictively as possible to protect people’s privacy. There should be a special focus on data governance, as it is users who must decide which aspects of their information they want to make public.
3. Registration of files and record of activities
The obligation to register files with the Spanish Data Protection Agency (AGPD) is replaced by the obligation to keep a record of activities. Each company must describe in detail what data it collects, for what purpose it uses them, who it discloses them to, whether it transfers them to third countries, how it keeps them secure, their portability, and when it can delete them.
4. New rights of data subjects
The ARCO rights (access, rectification, cancellation and opposition) are maintained, while some more are added with special technical implications: limitation of use, portability and the right to be forgotten. Time limits also change. Whereas, under the LOPD, the period for attending to the right of access was one month and for other rights 10 days, the new regulations specify a unified period of 1 month for all rights.
5. Unequivocal consent of the interested party
One of the GDPR’s new sections makes it clear that consent must be obtained through a clear affirmative action or a free demonstration of the subject’s will that leaves no room for doubt, as detailed below:
- It must be equally easy for the interested party to give their consent or withdraw it.
- Consent must be obtained for each different purpose for which data is used.
- It must be possible to demonstrate that we have obtained the interested party’s consent (reliable proof).
When should consent be sought?
It must always be requested, except in the following cases:
- When it is necessary for the execution of a contract to which the subject is a party or for the application of pre-contractual measures at the subject’s request.
- When necessary to comply with a legal obligation.
- When necessary to satisfy the legitimate interest of the data controller, for a vital interest or in the public interest.
What happens to consent granted previously, in accordance with the LOPD?
If it was granted in compliance with the current GDPR parameters, no action is necessary. In other cases there are several options:
- Request it again.
- Determine whether there is another legal basis for the use of the data, such as legitimate interest.
6. Current legal basis for the use of data
While the LOPD took consent as the main legal basis and treated other cases as exceptions, the new regulations clearly differentiate consent, contractual relationships, the vital interests of the data subject or third parties, the legal obligations of the data controller, the public interest and the exercise of public powers.
7. Risk analysis and security measures
The GDPR bases the application of security measures on the risk when processing information. To analyse this, the nature of the data, the number of parties affected and the volume and variety of data processing by the company must be taken into account.
8. The new figure of the Data Protection Officer (DPO)
This is one of the most notable new features. The requirement to have a Data Protection Officer alongside the existing roles of Data Controller and Data Processor could be a serious headache for companies. The DPO’s functions are intended to ensure compliance with regulations and give advice to the Data Controller, very much in line with the duties of the Compliance Officer.
The GDPR, as currently drafted, does not exclude any type of company or organisation from this obligation on the grounds of its number of employees (the reference to 250 employees has been removed), and it is mandatory in three specific cases:
- Public authorities or organisations.
- If the primary activity of the data controller or processor requires that data be processed and analysed regularly.
- The large-scale processing of particularly sensitive data (ideology, ethnicity, union affiliation, health, etc.) or data relating to criminal offences.
9. New penalties for non-compliance
Fines are increased substantially to prevent what is known as “profitable offences”. Article 83 of the GDPR thus stipulates that administrative offences may be sanctioned with fines of up to 20 million euros. In the case of a company, the fine could be up to 4% of turnover, based on overall turnover in the previous financial year.
Is there any insurance policy that can cover the risk of non-compliance with the GDPR?
The insurance market has been analysing the economic damage that a data-related incident can cause, and is creating new cover taking the new regulations into account in its Cyberrisk products, in order to help address problems arising from such incidents.
How does it work?
If you have a security incident (an attack, leak or accident) in your information systems or computer resources, the policy would assume the costs that could be generated, for example, due to the interruption or cessation of business, customer losses, recovering the company’s reputation, legal consequences and compensation for the publication of personal data and confidential information. In addition, the fees of IT security experts, and experts in IT, legal matters and communication are included.
Most significant types of cyberrisk cover
- An incident management service provided by specialists to advise, coordinate and manage the response in the event of a data breach, security failure or threat of extortion.
- Third-party claims. These may be due to a breach of your data, security failures affecting a third party or a claim for moral damage through the internet that has occurred as a result of attacks on your digital channels. For example, sanctions by the regulatory body (AGPD) in connection with the new regulations (GDPR).
- Loss of profits in the event of business being interrupted as a result of an external or internal cyber attack.
- Data recovery. In the event of data loss or damage, our partners will help you to recover the lost information and to restore your systems so that you can work normally.
- Cyber-extortion. All the services necessary to unblock systems and manage a threat of extortion.