Adequacy and compliance with the data protection regulations of the European Union

NEEDS

  • Adaptation to comply with data protection regulations according to the new European Regulation.
  • To have protocols and security measures in place for the processing and transfer of personal data.

  • Sensitisation and commitment of the staff regarding the protection of personal data.

  • Having a data protection delegate, where appropriate, to supervise compliance with data protection protocols.

  • Avoiding very serious sanctions for non-compliance with the regulations.

ACTIONS

  • Analysis of the degree of compliance of your business in terms of data protection.

  • Documentation and registration of data processing in the company.
  • Staff training and awareness-raising.
  • Data protection risk analysis.

  • Impact assessments.
  • Security measures and action protocols.
  • Security measures in the communication of data to third parties.
  • Drafting of an updated security document in accordance with the new regulatory requirements.
  • Drafting of confidentiality commitments with suppliers.
  • Drafting of confidentiality commitments for personnel.

Services of the data protection officer

How does the new data protection regulation affect my company?

It affects me directly.

  • The personal data protection regulation affects all companies and freelancers regardless of the size and structure of their business. Therefore, it is mandatory for any company or business.
  • I must ensure that I have established security mechanisms and protocols that actively guarantee the privacy of the personal data for which we are responsible (data of customers, employees, suppliers, etc.) as well as compliance with all data protection obligations.

The most important new features are:

The obligation to register files with the Spanish Data Protection Agency is eliminated. On the other hand, it is compulsory to document all processing of personal data carried out in my company, creating an internal register in which such processing is identified and described.

Another of the novelty imposed by the Regulation is the need to carry out, as a starting point for adequate compliance, an analysis of the risks to data privacy that may arise in the normal operation of the business itself; and depending on the risks observed, to design the corresponding preventive security measures, as well as corrective measures. Because the regulations do not establish the measures that we must adopt in a standardised manner, but rather require us to create our own “tailor-made suit” with measures that we consider “appropriate” for our business, we must ensure that the security measures we adopt are effective.

Greater transparency and fairness are required in the information provided to data subjects (customers, employees, etc.) whose personal data are processed. Clear, simple, and complete information to data subjects.

Retention of data for as short a time as possible. The need to inform the data subject of the length of time for which the data will be kept by a health centre is established.

In certain cases, the figure of the data protection delegate is established as a mandatory element. This figure should ideally be external to the business, due to the legal requirement that this figure be independent from the business management. His or her task is to manage, advise and control the correct application of the security protocols in matters of data protection in the business.

It also establishes the obligation to carry out Privacy Impact Assessments (PIA) of personal data processing in certain cases (mass data processing or profiling, for example).

The communication or transfer of data to third parties, such as our own suppliers (e.g. the IT supplier), is of particular importance due to the risk it poses to privacy. For this reason, it is essential to establish specific protocols that guarantee the security and strict confidentiality of personal data, both when it is processed within our company and when it is transferred to third party suppliers for specific processing. It is essential to demand the same level of compliance with data protection regulations from our suppliers as we have established for our company.

What can happen in case of non-compliance?

  • Being sanctioned by the supervisory authority. In relation to the current regulations, there has been a significant increase in fines for non-compliance with the regulations, which can reach up to 20 million euros or 4% of the offender’s annual turnover.
  • Having to directly compensate the affected party. This is a novelty with respect to the current LOPD. This will undoubtedly lead to an exponential increase in the number of complaints.

How can globalpacta help you?

Globalpacta has a department specialised in advising on Data Protection matters. Firstable, it will analyse the degree of compliance of the company or business in terms of data protection, as well as the risks encountered. Based on this analysis, it will propose, if necessary, new protocols and security measures to be implemented in order to achieve strict compliance with the requirements of the new Data Protection Regulation and the new LOPD 2018.

Data Protection Delegate Service. Globalpacta offers you to cover this figure when it is mandatory or advisable for your business according to the new regulation, in an outsourced manner.

Carrying out impact assessments, as well as the management of the risks detected.

Globalpacta, in short, offers you complete advice on how to fully comply with data protection regulations, which, in addition to avoiding heavy penalties, will convey an image of seriousness and good work that will benefit the image of your company or business.

Would you like us to study your situation? Contact us, we can help you!

    Our team of data protection lawyers

    ROBERTO MARTÍNEZ

    Lawyer

    JUAN-CARLOS PIQUÉ HERNÁNDEZ

    Lawyer

    Law firms where we offer our services as data protection lawyers.

    We are specialists in these practice areas:

    Recent related news