May the 25th 2018 will mark a defining point in the regulation of privacy throughout Europe. Regulation (EU) 2016/679 of the European Parliament and Council, dated 27th of April 2016, has finally come into effect – after a long and complex legal process initiated in 2012-, regarding the protection of physical persons with respect to the processing of personal data and the free circulation of said data. The Directive 95/46/EC has consequently been abolished.
Said Regulation, (henceforth, the GRDP - General Registry of Data Protection ['RGPD – Registro General de Protección de Datos']) –is applied directly to Member States (without the need for national transposition), although a transitory period until May 25th 2018 has been established for its application, to all effects.
What does this new norm pursue?
With the GRDP, the European legislator hopes to accomplish:
- The reinforcement of citizens' rights by granting them a greater control over their private information, in the light of the latest technological developments and the significant increase in the processing of personal data in the digital world.
- A contribution of greater legal security, by establishing throughout the EU homogeneous protection standards of personal data (adapted to the digital setting) by means of a clear and unique legal framework.
- A reduction in the administrative load in companies dealing with personal data.
- The regulation of the use of data for law enforcement and judicial purposes.
- The strict compliance of the applicable rules and regulations, increasing considerably the penalties in case of non-compliance.
Main developments and advantages
- Unique norm in the European Union, for any European or foreign company that processes personal data of European citizens. The GRDP will harmonise and unify the rules and regulations regarding the protection of data in the Member States of the European Union (EU). It must be pointed out that said rules and regulations shall not only be applicable to companies established in the EU, but also to those companies that, without being established in the EU, process personal data of European citizens when managing said citizens' goods or services.
- New rights of persons. Citizens will have more information on how their personal data is processed. In addition to the already known ARCO (access, rectification, cancellation and opposition) rights, the following are also regulated:
- The scope of the right to erasure of data, whereby any citizen may request the definitive deletion of their personal data when they terminate a contracted service, except in those cases where there exist rules and regulations preventing it.
- The right of portability of a user's data, so as to transfer their data from one service provider to another (i.e., between different social networks).
- The right to receive information in alleged “hacking” of data.
- Consent for the processing of personal data, which will have to be clearly unequivocal. Said obligation will have special relevance in cases of sensitive data (health) or of minors, with the need to implement trustworthy mechanisms for the obtaining of personal data and its processing.
- The concept of sensitive data has been updated and expanded to include new data such as sexual orientation , biometric and genetic data or philosophical beliefs.
- Less bureaucracy, less costs. The GRDPentails a significant reduction in bureaucracy (and costs) for European companies. In particular:
- The obligation to register files will disappear.
- A 'One Stop Shop' (Ventanilla Única) will be set up. Via the creation of the Control Authority (Autoridad de Control), procedures will be able to be carried out with effects throughout the EU, before a single authority of data protection.
- Company Obligations .
- The obligation to carry out Risk Analyses and Impact Assessments. The GRDP aims to guarantee the implementation of data protection measures from the initial stage of a business model (data protection by design). Nevertheless, whenever data is processed that may imply a risk to those affected, it will be compulsory to previously carry out a risk analysis so as to determine regulatory compliance.
- Companies will have to appoint a Data Protection Officer/ DPO (Delegado de Protección de Datos). Said person is to be understood as the supervisor of the activity of the person in charge of processing personal data in compliance with their respective obligations. As the most notable development, the DPO will perform his/her functions with absolute independence (without receiving any instructions whatsoever from the person responsible for data processing). The DPO must have legal knowledge as well as knowledge of new technologies (it not being viable, therefore, to appoint the IT Director of the company , as the majority of companies have been doing over the past years).
- Companies must scrupulously comply with the applicable rules and regulations, since the applicable penalties due to non-compliance have visibly risen. By way of example, in alleged serious offences, the penalty can constitute a percentage of the offending company's global turnover, thereby resulting in possible penalties amounting to millions of euros in the case of multinationals that do not adapt their activity to the new Regulation correctly.
What steps must companies take to comply with the GRDP?
Over the next two years, until the coming into force of the aforementioned Regulation, all companies must continue to comply with the postulates of the Organic Law of Data Protection (LOPD – Ley Orgánica de Protección de Datos) (or any national rules and regulations of a Member State). Concurrently, companies must amend their IT and data protection policies, so as to adapt them gradually (and, thus, less traumatically), to the new GRDP.
The times when it was enough to comply with the formalities of the OLDP (LOPD), byregistering files andelaborating a security document, have given way to a new era in which personal data protection must form part of the very nature of the company's culture; not in vain, non-compliance of the rules and regulations regarding data protection can lead to heavy penalties. Thus, in a world heading inexorably towards digitalisation, companies are obliged to carry out a cultural transformation and at the same time assess the benefits that complying with the GRDP will contribute to their reputation and, hence, to the confidence of their clients.