New Data Protection Act of 25 May 2018, the GDPR

Over the last few days, you have probably been bombarded with messages from all the websites and organisations to which you subscribe asking you to sign the new terms and conditions of their data protection policy.

This is mainly due to the entry into force, on 25 May 2018, of the European Union's General Data Protection Regulation (GDPR, from now on), which substantially modifies the Organic Law on Data Protection in force until now.

However, what are the changes introduced by this new regulation? As data protection lawyers, we are going to explain them to you.

Who is obliged to comply with the GDPR?

This is one of the most important questions of the GDPR. Previously, each country had the power to draw up its own data protection laws and apply them to its companies. However, from now on, all companies that are registered in an EU member state will have to comply with this common regulation.

But, moreover, its application is not limited to that area. In fact, any company from a foreign country that wants to develop its business activity within one or more EU member states must also adapt to the GDPR.

What new obligations do companies have under the GDPR?

Accountability obligations

From now on, companies have to provide all the information related to the processing they are going to do with their users' data and request express consent for its use. They must also specify the rights to which they are entitled.

The main novelty in this section is the incorporation of the term privacy by design. This means that all the company's processes must be built on the basis of the data protection policy from the outset.

On the other hand, the new regulation requires companies to notify their users within a maximum of 72 hours of any security breach that their information files may have suffered. This must also be alerted to the corresponding control authority. In our case, this would be the Spanish Data Protection Agency. In the event that the information affected is of a particularly sensitive nature, the notification must be personalised for each affected party.

Nor should it be forgotten that, according to the new regulations, companies are obliged to keep an internal record of the personal data processing processes they carry out in their processes whenever they have more than 250 employees or operate with especially sensitive information.

Proactive accountability

This is one of the most innovative concepts of the GDPR. Specifically, it refers to the prevention tasks that companies are obliged to carry out in order to protect their users' data.

In this sense, entities and companies must sufficiently guarantee that they have the capacity to comply with the rights, rules and obligations established by the GDPR. This is mainly due to the fact that the new regulation considers that action when the breach has already been committed or the attack has already been suffered is not sufficient, since any of these actions may entail damage that is difficult to compensate or repair.

The first step required in this respect is to carry out a risk analysis to determine which measures should be applied and how they should be implemented.

This is reflected in the execution of impact assessments, which are risk analyses on a certain product, service or information system subject to data protection law.

The figure of the data protection officer

This is a figure that must be present, obligatorily, within the organisational chart of organisations that must comply with the GDPR. Specifically, their function will be to plan the security measures to be applied to the data processing carried out by the company. He or she will also be the liaison between the supervisory authority and the company.

Obviously, in the event of any breach of users' data protection rights, he or she will be the first person responsible.

New citizens' rights under the GDPR

The right to be forgotten

One of the major demands of user groups has finally been reflected in the new GDPR. This is the right to request and obtain that personal data provided at a given time be deleted by the organisation when they are no longer useful for the purpose for which they were provided, when they were obtained illegally or when the consumer revokes their consent to their use.

The right to portability

Although less important than the right to be forgotten, this has also been a major achievement for user communities. Specifically, it refers to their right to demand that companies that process their data in a digitised form return it to them in a format that allows them to transfer it to other companies.

Changes to consent

The GDPR now requires that the consent given by users for the processing of their data be informed, specific, unambiguous and, above all, free. Companies are therefore obliged to review the ways in which they store and obtain such consent from their customers.

This puts an end to all previous practices based on the concept of tacit consent. For this reason, the user is required to make an explicit statement showing his willingness to have his data processed by the company or, failing that, a positive action in that direction. In other words, such consent can no longer be inferred from the inaction or silence of the citizen concerned.

Adjustment of the LOPD to the RGPD

The State Data Protection Agency, which held its ninth Annual Open Session on 25 May 2017, emphasised the need for professionals, companies and entities of all kinds to adapt to the GDPR. In fact, this text was approved two years ago, but 24 months of grace were granted to proceed with the adaptation. As you may have noticed, time has run out for many of them.

The state body to which we have referred at that time made the Facilita RGPD tool available to bodies affected by its entry into force and a voluntary intermediation system to claim user rights that could be considered to have been violated.

It should also be added that these changes will be embodied in a new Organic Law on Data Protection, which is currently being processed in Parliament.

We hope that, by now, you have understood the bulk of the content of the new GDPR. It is undoubtedly a legal text that will protect the rights of European Union citizens more effectively.