Our company respects the new General Data Protection Regulation
(RGPD) which enters into force on May 25, 2018 and replaces the current data protection directive and current law. Next, its main ideas are presented, as well as the complete regulation.
Information for interested parties
The regulation obliges to inform about the legal basis for the treatment of data, period of conservation of the same and disposal of the same. All privacy policies and texts that provide information to interested parties must be reviewed.
Exercise of the rights of the interested parties
The regulations oblige to guarantee the exercise of the rights of the interested parties. In this way, the requests for the exercise of this right are now monitored and documented with maximum response times, right to the portability of the data, suppression of the data and communication to third parties of the rectification or suppression or limitation of the treatment requested by those interested.
Consent of interested parties
The norm obliges to control the circumstances in which the consent of the holders is obtained when this is the legal basis for the processing of personal data. There are a series of requirements to obtain this consent and failure to comply with these consents requires obtaining a new consent.
Nature of the data
The regulation defines the concept of sensible data that are subject to specific conditions for their treatment, namely, automated rights and decisions. An example of sensible data will be the biometric data. Depending on the size and context of these specific data treatments, it may be mandatory to nominate a Data Protection Delegate, who, if it is not in the interest of the company to hire or designate this new element, our Data Protection team also provides this service as part of our solution.
Documentation and registration
The regulations oblige you to keep a documented record of all personal data processing activities. Organizations are obliged to demonstrate compliance with all requirements arising from the application of the regulations.
subcontracting
The regulations oblige the person in charge of the treatment to ensure that he accounts for all the authorizations of those responsible for the treatment of data. The subcontracting contracts will tend to be revised to include a broad set of information with the aim of protecting the information of the interested parties, which many times is handled by various entities without the respective holders being aware of it.
Data Protection Officer (DPO)
The regulations introduce the figure of the Data Protection Delegate who will have the function of being responsible for the treatment of security processes to guarantee the protection of data on the day to day of the company. Yes, it is not obligatory for all companies, the existence of the same ones or of an external service that guarantees this function can add much value to the processes of fulfilling obligations.
Security Processes and Data Processing
The regulation requires a great control of the risk associated with the possible information robot. This risk control must now be guaranteed by effective security measures that guarantee the confidentiality and integrity of the data and that prevent accidental or illicit destruction, loss or alteration, or unauthorized communication/access to them.
Data protection by design
The regulation highlights the need to start assessing future data processing projects in advance and rigorously in order to be able to assess their impact on data protection and adopt the appropriate measures to mitigate these risks.
Notification of security breaches
The rule obliges that all breaches of security that result in risk to the rights of the holders must be communicated to the control authority as well as to the respective holders of the data.