The EU General Data Protection Regulation (GDPR) will come into force in May 2018, and experts remind organizations that if nothing has been done yet, they are already running late.
If the current General Person Data Protection (LOPD) is correctly applied, a good part of the way towards GDPR is already done, since the basic principles are maintained. A significant challenge arises in the implementation methodology itself, shifting the focus to an assumption of accountability by organizations that goes beyond a mere formal and documentary fulfilment that could even be considered sufficient in the current framework of the LOPD.
Thus, the new European Data Protection Regulation presents us with a new regulatory framework, similar to the Anglo-Saxon style, inasmuch as it requires organizations to have a real internal analysis of the processing of personal data and decide how to apply it based on the aforementioned principle of accountability. New obligations arise such as carrying out impact assessments or performing analyses based on a risk approach; without forgetting the new concepts to be incorporated in the application such as privacy design, new rights such as the right to be forgotten and data portability or data breach management.
All while waiting for the new National Data Protection Law, that although the GDPR is of direct application to organizations dealing with data in the EU, each member state may specify or supplement it in those aspects that are permitted by the regulation itself.
Consent in the European Data Protection Regulation
A key point of the new legislation is the opt-in regime, as this as a general rule must be unambiguous and explicit provided that there is no legitimate interest that supports it. Lleida.net attended the Privacy and Data Protection Congress held in Madrid showcasing solutions to reach consent; our proposal is based on using registered online communications (SMS, email, web) to generate evidence of acceptance of such consent acting as digital witness.
To provide you a useful guidance on the applicability of Lleida.net certification tools, here are some examples of use:
- age verification for web pages aimed at children under 13
- application of international data transfers
- application of sensitive data (e.g. sanitary records)
- application request for automated decision-making processes
- consent solicitation for the use of existing data obtained for a different purpose.
Having said this, note the date May 25, 2018 in your diary and do not miss the opportunity to meet GDPR new requirements.
Chief Compliance Officer
Legal Practice Graduate at UAB Master in Law and New Technologies by ESADE and Law degree from the UAB. CESCOM® Compliance Certification.