On 25 May the General Data Protection Regulation (GDPR) began to apply directly. The regulation, motivated by current technological advances and the complexity of the processing of personal data, was intended to find a new formula to guarantee an adequate level of protection for natural persons in the European Union and avoid divergences that hinder the free circulation of personal data within the internal market.
The new regulation implied a lot of work to adapt for many companies, governments and other public and private entities that had to comply with it. The aforementioned date became a deadline with a countdown, announced as an alert. The desorbitant penalties, which could amount to up to 20 million euros or, if a company, of an amount equivalent to 4% of the total turnver for the prior financial year, easily managed to catch everyone’s attention. The initial alert has faded but the lack of calm persists, meaning that the GDPR meets one of its principal objectives: to raise awareness. After nearly a year of application, both the obliged and the affected parties have become used to the regulation. Below we will review some of the most important aspects we have learned about this regulation.
Firstly, all processing of personal data must be legal, faithful and transparent. In order to comply with these principles, all processing must be based on a legitimate purpose; the parties responsible for the processing must effectively take on the responsibility and undertake not to process the data for any illegitimate purpose. Additionally, the interested parties have the right to be informed of the processing activities of their personal data. In fact, the collection of data and the processing activities must be limited to what is strictly necessary to comply with the purpose of processing. As an example, the regulation prohibits the use of personal data collected to send an invoice for a purchase to send a company newsletter or request a phone number when this is not necessary to comply with its purpose. On the other hand, it also demands that data controllers eliminate personal data once the legitimate purpose for which it was collected has been fulfilled.
With regard to the rights of the interested parties, the data controller, with the collaboration of, where applicable, the data processors, must look out for the protection of the eight rights of the interested parties under the GDPR. These are the right to information, access, correction, the right to withdraw consent, to opposition, to oppose electronic processing, the famous right to be forgotten and the right to portability of his/her data.
One of the changes that has most required adaptation on the part of the data controllers has been the way of obtaining consent. The GDPR demands that consent of the interested party be explicit and prior to the collection and processing of the data. In addition, consent may only be requested after the corresponding party is informed. In internet, the format of information in layers is the most recurrent as it is simpler for the user to understand and more attractive to use on a web or in an application.
Finally, in terms of privacy in design and by default, experience has shown the importance of risk analyses and impact evaluations of data protection. It is essential for processing activities to be designed correctly to be able to guarantee the rights and liberties of the interested parties. The design phase for processing defines the flow of data and the elements that will be involved. It is essential to define the supervisory and security measures at that moment, not only to avoid risks, but also to avoid repeating work or incurring penalties. Risk management must be present during the entire cycle of life of the processing. For this reason, it is necessary for the data controller and its team to be trained and aware of data protection.
Without a doubt, the GDPR has implied a great deal of adaptation for the responsible parties and, at the same time, a great relief for the interested parties, especially internet users.