Many of the concepts of the GDPR had already been seen implicitly in the current regulation of the Spanish Organic Law about protection of personal data (LOPD*). However, the new regulation introduces new approaches and elements that involve new obligations for companies and organizations in the EU.
What are the main novelties that the GDPR brings?
Risk approach and proactive responsibility
The risk approach implies that the company should take into account the processing risk for the personal rights and freedoms. Thus, this implies that when there is a high risk of affecting rights and freedoms, the corresponding GDPR measures will apply.
To determine which GDPR measures will be applied, the nature, scope, purpose and context of the processing needs to be taken into account. The GDPR measures will be applied depending on the level and type of risk of the processing concerned.
On the other hand, the Principle of Proactive Liability states that the controller must apply technical and organizational measures to ensure that the processing is in accordance with the regulation. That means that the company takes the initiative in terms of the management of personal data and therefore analyze the type and purpose of the data they process and, based on that analysis, decide to adopt the appropriate measures suggested by the GDPR.
New rights: restriction, portability, erasure
Right to restriction: As the name indicates, it means putting restriction to processing of personal data. The person may request to suspend the processing of said data in certain cases, and the controller must inform the person before processing his or her personal data again.
Right to data portability: it goes one step further regarding the right of access and implies that the person can request a copy of the personal data that has been provided in a “structured, commonly used and machine-readable format”. It does not mean the termination of the service, only the obtaining of the data, for example when changing the provider of a service.
Right to erasure (right to be forgotten): the person can request the elimination of his or her data when one of these cases occurs:
- When the data are no longer necessary in relation to the purposes for which they were collected or processed.
- When the party concerned withdraws his or her consent for the processing.
- When the party concerned opposes the processing and no other legitimate reasons for the processing prevail.
- When the data has been treated illicitly.
- When the data should be removed for the compliance with the obligation that applies to the controller.
- When the data have been obtained in relation to the direct offer to children of services of the so-called “information society”.
Tightening of sanctions
The GDPR establishes amounts that may be higher than those contemplated by the LOPD. The administrative fine can reach the equivalent of 2% of the total annual turnover of the company in case of serious sanctions, and 4% in case of very serious sanctions. In addition to this, it includes the possibility that the company receives anonymous complaints, a factor that can lead to the danger of complaints among competitors for non-compliance with the GDPR.
Although this is an action that was already implicitly performed with the LOPD, the new regulation clearly expresses the necessity of companies to perform a risk assessment.
The GDPR establishes that the controller must apply technical and organizational security measures to ensure a level of security that is appropriate to the risk. It is an obligation that depends on controller and not on the DPO as some people may believe. It has to be taken into consideration that there is a risk when there is a possibility of destruction, loss or alteration of personal data:
- Irregular transmission, storing or processing
- Unauthorized communication or access
The risk assessment should not be confused with the impact assessment, also known as PIA (Privacy Impact Assessment). According to the Spanish Agency for Data Protection (AEPD), the PIA is the “exercise of risk analysis that a given system of information, product or service may imply the fundamental right to protect data of those affected, in order to face the effective management of necessary measures to eliminate or mitigate them”. When is a PIA applied?
- Systematic and exhaustive assessment of personal aspects (profiles)
- Processings on a large scale
- Systematic observation of a public access area on a large scale
Records of Processing Activities
The GDPR also establishes that companies must collect and keep a record of processing activities of personal data, that is, specify what type of data is collected, for what purpose, and who are the processors.
The obligation to maintain a Record of Processing Activities corresponds to the controller and the processors. What requirements must be met to be obliged to perform the Record of Processing Activities?
- When a company or organization has more than 250 workers.
- When you perform processings that may cause a risk for the rights and freedoms of the parties concerned or includes special categories of data or those related to convictions of offences.
- If there are processings performed that are not occasional.
*LOPD = Spanish Organic Law 15/1999 of 13 December about protection of personal data