Introduction
The GDPR has been published by the European Union to achieve a better adaptation of the data protection law to new technological developments, which have led to an exponential growth in data processing.
This new regulation requires proactive action on the side of those in charge and responsible for processing the data, becoming very important the concept of protection by default and from protection by design.
The GDPR has established new personal data unique identifiers related to ICT, such as cookies, IP addresses or similar.
General changes: GDPR versus LOPD
Having understood why this new GDPR was necessary, the most important thing is to understand the changes it implies with respect to the Spanish LOPD.
Changes in legitimation
The concept of high-risk data processing refers to the processing of data for the assessment of personal aspects for profiling, to the large-scale systematic observation of a publicly accessible area.
The most important change is that tacit or omitted consents are no longer valid, and clear declaration or affirmative and explicit action is needed for high-risk cases, automated decisions, international transfers, etc.
The treatments initiated under the old LOPD will be valid if the consent is in accordance with the GDPR.
Changes in the transfer of information to interested parties
The GDPR stablish that information to interested parties shall be provided in a concise, transparent, intelligible and easily accessible manner, in plain and simple language, providing the following information:
- Legal base of processing
- Intention to make international transfers
- Identification Data of Data Protection Delegate
- Development of profiles
Changes in the rights of those affected
Derecho de acceso
- LOPD: It was mandatory to provide all the basic data of the affected person, but not copies or documents
- GDPR: Recognises the right to obtain a copy of the personal data processed
- Important: They may attend to this right by enabling remote access to a secure system that offers the interested party direct access to their personal data
Right to forget
This right is the consequence of the application of the right to delete personal data, being a manifestation of the rights of cancellation or opposition in an online environment.
If personal data has been made public by the responsible of treatment, he shall take the technical measures to delete their personal data.
Treatment limitation
Upon prior request of the data subject, the processing operations will not be applied in certain cases, described in detail in the GDPR, such as when processing is lawful, which would lead to the deletion of the data, but the data subject objects to this.
-
Important:
- The limitation of the processing is a right of the interested party that should not be confused with the blocking of data by Spanish law
- Time limits and procedures are the same as for all other rights
- The standard practice of erasure of data when other rights are exercised, such as access, is prevented as it would obstruct the exercise of the right of limit processing.
Portability
The right of data portability is an advanced form of the right of access by which the copy provided to the data subject must be provided in a structured, commonly used and mechanically readable format. This right can only be exercised:
- When processing is carried out by automated means
- When it is based on consent or a contract
- When requested by the interested party with respect to the data he or she has provided to the data controller, including data derived from the data subject's own data activity.
-
Important:
- This right implies that the interested parties’ data are transferred from one controller to another whenever possible
- This right does not apply if the data has been provided by third parties.
Changes in the Responsible-Manager Relationship
The innovations in the relations between esponsibles and managers are established in three different areas
- Specific obligations for managers
The change is that the old LOPD only contained obligations for data responsibles, however, the GDPR also contains obligations for the managers
- They must keep a record of treatment activities
- They must determine the security measures applicable to the treatments they carry out
- Assign a Data Protection Delegate in the cases indicated by the GDPR
- Choice of data manager
The responsible shall choose managers with the appropriate organizational and technical skills to ensure that the processing meets the necessary requirements.
- Content of the manager's contract
The relations between the person responsible and the manager must be formalised by contract or in a legal act, adapting the previous contracts to the new GDPR.
Active responsibility measures
Another important aspect is the procedures that the controller and the processor must follow to comply with active responsibility measures.
Recording of treatment activities
Operators and managers must maintain a register of processing operations containing the following information: Name and contact details of the responsible, Purpose of processing, Description of categories of data subjects and categories and personal data processed and International transfers.
Organisations with fewer than 250 employees are exempt, unless the processing they carry out may involve a risk to the rights and freedoms of data subjects, which is not occasional or includes special categories of data.
Notification of data security breaches
Security breaches include any incident that results in the destruction, loss or alteration of personal data, as well as the unauthorized communication and access of such data.
The responsible must notify the security breaches within 72 hours of their occurrence, unless the breach does not imply risk to the rights and freedoms of those affected, including
- o Nature of the breach
- o Categories of data and data subjects and persons concerned
- o Measures taken by the responsible to resolve the failure
- o Measures applied to mitigate possible negative effects
If breaches involve a risk to data subjects, they should be notified so that they can protect themselves.
Suspicion of breach or the finding of an incident should not be reported until the real risk to the data subjects is known.
Designation of the data protection delegate
The GDPR establishes that it will be compulsory to appoint a Data Protection Delegate (DPD) in the following cases:
- Public authorities and public organizations
- Responsible persons or persons in charge who require regular systematic observation of large-scale stakeholders.
- Large-scale processing of sensitive data
The DPD must be appointed according to its professional qualifications and, in particular, its knowledge of data protection law and practice.
The designation of the DPD and its contact details should be made public by the persons responsible and in charge and should be communicated to the supervisory authorities.
Every DPD must meet the following set of requirements:
- Total autonomy in the exercise of its functions
- Need to keep contact to the top level of management
- Duty for the operator or manager to provide him/her with all the necessary resources to carry out his/her activity.
International transfers
Data may only be transmitted outside the European Economic Area in the following cases:
- Countries, territories or specific sectors on which the commission has decide that they offer the appropriate level of protection
- Where adequate guarantees have been given that the data will be properly received at destination
- Where any of the exceptions allowing data to be transferred are applied without adequate protection guarantees for reasons of necessity linked to the data subject's own interest or to general interests..
The list of external countries that currently guarantee data protection according to the GDPR are: Switzerland, Andorra, Guenrsey, Isle of Man, Jersey, Faeroe Islands, Israel, Uruguay, New Zealand, USA (According to Privaxy-Shield).
Data processing of children
The mention of children is related to obtaining consent in the area of direct provision of services to the information society. The GDPR provides that, in this environment, consent will only be valid from the age of 16, with parental consent.
On the one hand, the GDPR allows member states to set a lower age as long as it is not less than 13 years old.
On the other hand, the GDPR requires that those responsible make reasonable efforts to verify that consent has been given by the parents.
Pseudonymization
It is a new concept that refers to the processing of data (encryption, hashing...), so that it is not directly linked to an individual. However, it is still personal data and therefore it needs to be legitimized for processing. Undertakings implementing pseudonymisation are exempted from certain obligations under the GDPR.
Although the Spanish data protection agency encourages companies to carry out this process, it is important to know that it entails a risk analysis and the consequent impact assessment.
jtsec offers consulting services to achieve compliance with the GDPR, for example, helping companies to implement pseudonymization in their processes. Do not hesitate to contact us if you are interested or need help in implementing the GDPR in your business.