On 25 May 2016, the new Data Protection General (Spanish RGPD) came into force. However, it will not become effective until May 2018. Thus, in less than two years, all companies will have had to adapt to the new legislation.
This is why the IT department of Fornesa Abogados recommends beginning a progressive adaptation process toward all aspects of the new Regulation. In June, this press release from the Spanish Data Protection Agency recommended that companies and organisations should begin to adapt to the new Regulation.
The following are a few of the most important issues that need to be addressed from the new Data Protection Regulation.
Practical application of the Data Protection Regulation
The Regulation applies, as before, to those responsible and in charge of data processing resident in the EU, but now is extended also to those outside the EU when the processing arises from offers of goods or services to citizens of the EU or as a consequence of monitoring and following up of their behaviour.
This is additional protection for citizens of the European Union, as, until now, these companies could process data in the EU while being governed by regulations of other countries which did not always provide the same level of protection.
At present, the regulation allows tacit consent; however, the new Regulation requires en express statement by the user for consent to be considered unequivocal. Those responsible for data processing will be required to prove that the owner of the data gave their consent to their data being processed.
- One stop shop
Companies will be able to address a single supervisor in the EU.
- Right to Transparency (right of the user)
In addition to the ARCO rights, the new Regulations adds rights to Transparency or Information, to Be Forgotten or Data Suppression and Portability.
- Data Protection Officer
The figure of the Data Protection Officer is introduced to address issues in coordination, control and supervision of compliance.
- Data Protection by Design and by Default
Data Protection by Design is mandatory. The Regulation entails proactive or preventive measures. How? By using Risk Analytics.
- Notifying breaches to the data protection authority
The new Regulation requires those responsible for the processing to notify the Spanish Data Protection Agency of any security breach in their organisation within 72 hours.
Finally, companies and organisations have less than two years to adapt to the new legislation and assess the implementation of certain measures of the Regulation, as long as such measures do not infringe current legislation. It is, without a doubt, advantageous to carry out the implementation now, allowing errors, difficulties and deficiencies to be detected and remedied before May 2018.