In this article, we answer a common and topical question in the business environment regarding the GDPR: what is it, and how does it regulate the rights of citizens? You will learn several important concepts related to the European Data Protection Act and the points to take into account to comply with the GDPR.
Here are three new features compared to the previous regulation:
|1-The transfer of data without knowledge, i.e., the so-called “tacit consent”, is a thing of the past. We now give our consent to our data being made available to us with a clear statement.|
|2- No more handling or transfer of data to third parties without control and prior notice.|
|3No more skirting the law for everyone with financial penalties that can reach millions of dollars.|
Before looking at the legal regulation, let’s see what data we are talking about.
What is personal data?
It is all that concerns the private sphere of individuals, differentiating personal data from detailed data.
According to the Spanish Data Protection Agency, personal data are those referring to natural persons identified or identifiable by two means:
- An identifier such as name and surname(s), an identification number (NIF), location data or an online identifier.
- An identifier of one or more of the physical (a photograph), physiological, genetic, psychological, economic, cultural, or social identity of individuals.
Several types of data are handled and can refer to the person’s identification and employment, financial, or health situation.
The special data category extends the custody field to public or private institutions:
- Ethnic or racial origin data.
- Political opinions and religious or philosophical convictions.
- Trade union membership.
- Biometric data aimed at identifying univocally.
- Genetic data.
- Los relativos a la salud física o mental.
- La orientación sexual de una persona o su vida sexual.
- Data relating to criminal convictions or offenses.
All of them are covered and regulated by Data Protection Act. Now, let’s see what this regulation includes.
What is the GDPR?
The General Data Protection Regulation (GDPR) regulates the management and security of personal and sensitive information of individuals, which is handled by public administrations and companies that market products or services within the European Union.
It covers all companies and professionals, regardless of their size. This means that the self-employed, microenterprises, SMEs, and large corporations must protect data. Everyone has different risk levels depending on the sector, size, and nature of the information they handle.
The meaning of the GDPR implies rights and duties.
Compared to the previous law, it grants citizens more freedom and rights and greater power of decision regarding the use of data. Therefore, it represents a substantial evolution where, in addition, it contemplates the right to be well informed, access, rectifier, opponent, or cancellation of the data whenever the person wishes.
It also recognizes the ability to denounce abuses and regulates the official means to do so.
Duties of companies and public administrations
Entities acquire greater obligations and responsibilities so that they can receive heavy penalties if they fail to comply with the rights of the RGPD. The amount varies depending on the type of infringement committed, the will of the infringer, and the preventive measures carried out.
All this is collected and detailed legally, so to answer well to the question of what is the Data Protection Act in our geographical area, we must keep in mind the following legal text::
|Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data.|
The European Union’s GDPR
Regulation 2016/679 of the European Parliament and the European Council entered into force on May 25, 2018, and, as we have already advanced, increases the rights of citizens regarding the protection of their data, especially in the face of technological evolution and globalization.
In addition, it includes concepts and population that was not previously contemplated. This is the case of the protection of minors, leaving the express authorization for processing their personal information in the hands of their parents. And it is also the case of media such as video surveillance or advertising.
Principles and obligations
The principles of the GDPR regulate the behavior of entities beyond the simple obligation to inform about the data they collect and to protect them. In other words, it establishes a mandatory and concrete code of conduct materialized in seven fundamentals:
|Purpose limitation principle|
|Principle of data minimization|
|Retention period principle|
|Principle of integrity and security|
|Proactive accountability principle|
In terms of control and proactivity, it is not only necessary to ensure that data is kept secure, but also that, in the event of a transfer of data, the company or administration must communicate and acknowledge that it has had security breaches or failures.
Data Protection Officer
One of the novelties is that the GDPR introduces a new figure: the Data Protection Officer (DPO). Their presence is mandatory in public administrations and in those organizations with large-scale processing of sensitive data (banks, insurance companies, surveillance companies, mutual insurance companies, hospitals, political parties, etc.).
This person is responsible for identifying risks, seeking solutions, and notifying security failures or information leaks. This person also should have an effective system in place to make the report or to communicate the failure to those affected, in case there is any risk to their rights.
With all this information, you already have an idea of what the GDPR is. If you want to know a specific case of action, we explain in this article how we protect data at Smowltech.