First of all, you should know the meaning of these acronyms, RGPD, because it will be very important for the development of your digital business model. Well, it is equivalent to what is actually the General Data Protection Regulation (RGPD) and which has come into force very recently. And if you have a commerce or online store You will have to comply with the legislation so as not to take some other negative surprise from now on.
Do I have to do something to adapt my store or business to the GDPR? In this sense, you should know that the RGPD is a regulation approved at the European Union level and its objective is to ensure the protection of personal information.
From now on, all companies will have to make available on their website a Privacy Policy that explains how they are treating the data that have, either customers, associates, employees or simply interested in receiving commercial information.
New principles included in the RGPD
In the current regulations on data protection in Europe, new scenarios are contemplated for the owners of a digital business. And among which are the following aspects that we expose you below. Where it is also necessary that you take into account that the European Parliament and the Council have finally approved the General Data Protection Regulation (RGPD), which, with the aspiration of unify regimes of all Member States on the matter, has entered into force on May 25, 2016, although its compliance will only be mandatory after two years from that date.
Responsibility principle. Mechanisms will have to be implemented to prove that all the necessary measures have been adopted to process personal data as required by the norm. It is a proactive responsibility. Organizations must be able to demonstrate that they meet these requirements, which will require the development of policies, procedures, controls, etc.
Data protection principles by default and by design. On this occasion, measures must be adopted to guarantee compliance with the standard from the moment a company, product, service or activity that involves data processing is designed, as a rule and from the source.
Principle of transparency. The legal notices and privacy policies should be simpler and more intelligible, facilitating their understanding, as well as more complete. It is even envisaged that, in order to inform about the data processing, standardized icons may be used.
New obligations for digital companies
Sometimes, it will be mandatory to designate a Data Protection Delegate (DPO), internal or external, to assist organizations in the process of normative compliance. However, the complexity of the new standard will make this figure highly recommended in the vast majority of organizations.
In certain cases, privacy impact assessments must be carried out, which will ultimately determine the specific risks involved in processing certain personal data and foresee measures to mitigate or eliminate said risks.
Multinational companies will have as interlocutor a single national control authority: that of the main establishment of the entity. It is what is known as a single window.
The security breaches must be communicated to the control authorities and, in serious cases, to those affected, as soon as they are known, establishing a maximum period of 72 hours.
Sensitive data: Specially protected data is expanded, now including genetic and biometric data. Criminal offenses and convictions are also included in this category, although not administrative ones.
The selection of a person in charge of the treatment is tougher, since it will be necessary to choose one that provides sufficient guarantees of regulatory compliance.
Additional guarantees for so-called international data transfers: with the establishment of stricter guarantees and monitoring mechanisms in relation to international data transfers outside the European Union.
Seals and certifications: it is foreseen that seals and certifications of compliance will be created that allow to accredit the Accountability on the part of the organizations.
The obligation to register the files disappears, which is replaced by an internal control and, in some cases, an inventory of the data processing operations that are carried out, which can be seen as having a content similar to that currently contained in the form in question.
Sanctions: the amounts of sanctions for non-compliance with the rule grow, reaching 20 million euros or 4% of the global annual turnover (not excluded from the fines to Public Administrations, although the Member States may agree to do so) .
New rights provided by regulation
Transparency and information. Organizations, when processing personal data, must provide more information and in a more intelligible, complete and simple way, which will favor decision-making by the citizen. Special consideration is given to minors at this point.
Consent. The consent to be able to process personal data must be unequivocal, free and revocable and must be given by means of a clear affirmative act. Tacit consent is not allowed.
Right to be forgotten. The consent given for the processing of personal data may be revoked at any time, being able to demand the deletion and elimination of the data in social networks or internet search engines.
Right to limitation of the treatment in question. It allows the citizen to request the temporary blocking of the processing of their data when there are controversies about its legality.
Data portability. The citizen will be allowed to request the transfer of personal data from one Internet service provider to another.
Complaints. Complaints may be filed through user associations.
Compensation and penalties for non-compliance. The possibility of demanding compensation for damages derived from the illicit treatment of personal data is recognized.
The person responsible for the file may establish a fee to answer the exercises of the right of access, taking into account the administrative costs that this entails.
Considerations on its correct application
Notwithstanding the foregoing, there are still many aspects that are still pending on their development and concretion that are stipulated in this regulation. In this sense, it should be noted that the Member States, the control authorities, the European Data Protection Committee and the Commission must specify a multitude of elements that appear in the RGPD that are too ambiguous or vague.
In any case, the provisions contained in the Regulations are directly applicable in each of the Member States, without the need for transposition, and oblige private companies and public institutions to face an important process of regulatory readjustment.
However, the RGPD does not automatically repeal the LOPD and its implementing regulations. It simply displaces these to the extent that they are incompatible with it. In those areas in which this incompatibility does not occur, both regulations will coexist, which makes foresee many practical and interpretive problems, the resolution of which will require the assistance of specialized professionals who offer sufficient guarantees. While on the other hand, the retraining process is not technically easy, so it will be important for companies to have specialized legal advice that offers sufficient guarantees.
Get a data protection service
A good way to obtain a data protection service is to ask for quotes from the Association of Data Protection Companies (AEPD.org). In this sense, the AEPD.org has an official shift among its associated companies. Its operation is simple: You have to request a budget from AEPD.org and this same association distributes it among its associates, trying to ensure that the end customer receives good advice.
If you do not go to AEPD.org, the only way to obtain estimates is to go one by one to the websites of data protection companies. This procedure is slower, but also effective. In the coming weeks we will make and publish a list of LOPD companies, to make this operation easier. For the moment, perhaps the best option is to go to the Association of Data Protection Companies.
Final conclusions
Consent must be given by means of a clear affirmative act that reflects a free, specific, informed, and unequivocal manifestation of the interested party to accept the processing of personal data concerning him, such as a written statement, including by electronic means, or a verbal statement.
This could include checking a box on a website on the internet, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposed treatment of their personal information. Therefore, silence, checked boxes or inaction should not constitute consent.
Consent must be given for all processing activities carried out for the same or the same purposes. When the treatment has several purposes, consent must be given for all of them. If the consent of the interested party has to be given as a result of a request by electronic means, the request must be clear, concise and not unnecessarily disturb the use of the service for which it is provided.