Everything you need to know about the GDPR: the new data protection regulations
Posted: Wed Dec 04, 2024 9:34 am
By now, you've probably seen these tongue-tied acronyms on more than one site. In case you don't know, the GDPR is the new European data protection regulation that comes into force on May 25. This means that a series of measures must be implemented on our websites to stay up to date. Take note, because failure to comply with this law can lead to a considerable administrative fine.
What are the differences in the new data protection law?
The first change is in the 'attitude' of the law. While its predecessor, the LOPD (this one sounds familiar to you, right?) was reactive, the new RGPD is proactive and continuous improvement and the demonstration of good will on the part of the company will be valued positively. We do not have to wait for something to happen to act, but rather we have to implement more and more measures so that there are no errors.
This regulation focuses on the user, granting them more rights and facilities:
The user will have facilities to access their data, rectify it, cancel it or oppose its use (ARCO Law).
The user must give explicit consent for the use of his/her data, and may choose for which purposes he/she will provide his/her information and for which he/she will not.
The user will have the right to be forgotten and to have their data portable in a format that allows for easy transfer (i.e. they can ask for all their data to be deleted or exported).
What new obligations does the company have with the entry into force of the GDPR?
The company is required to carry out a risk analysis and impact architect phone number list assessment. That is, it must analyse the consequences of a suspected leak of the data it stores and specify the risks that exist for the user if this occurs. Any data leak must be made public within 72 hours of its discovery.
In addition, it will be obliged to document the processing operations.
These obligations are accompanied by penalties for non-compliance: specifically, they will be 4% of the annual global turnover or up to 20 million euros, whichever is greater.
How is compliance with the new data protection law monitored?
To ensure compliance with this new regulation, a new figure appears in the company: the Data Protection Officer (DPD or DPO). This new actor will be in charge of safeguarding compliance with the regulation, being the link between the user and the company.
This new figure must prove their knowledge and register with the AEPD (Spanish Data Protection Agency). This figure is not mandatory for all companies, although those organizations that have this person will be positively valued.
But then… what do I have to do to comply with the GDPR law on my website?
Any website must adapt its legal notices to comply with the new regulations. Until now we had three legal notices (legal notice, privacy policy and use of cookies), but from May 25 we will have to get up to date by updating all this information and adding the necessary changes.
The main changes that need to be made:
The user must be given explicit consent for the use of their data.
This consent must clearly specify the use that will be made of them.
Consent will be free and granular, meaning that the user will have the option to accept or reject each of these legal consents, differentiating between the types of data that the company has and the use that will be given to that data.
In practice, this means that the user will find a list with up to 4 types of consent for the use of their data, or in other words, 4 “checks” on a form that the user must “click” to confirm that they agree with the use that will be given to their data:
1 – Personal data: this data must be saved in the database, accepting the privacy check
2 – Use of data for marketing purposes: if we want to use this data for marketing purposes, the user must explicitly accept (check) the “advertising policy”, which will explain what their data will be used for. We must save this consent in our database along with their information.
What are the differences in the new data protection law?
The first change is in the 'attitude' of the law. While its predecessor, the LOPD (this one sounds familiar to you, right?) was reactive, the new RGPD is proactive and continuous improvement and the demonstration of good will on the part of the company will be valued positively. We do not have to wait for something to happen to act, but rather we have to implement more and more measures so that there are no errors.
This regulation focuses on the user, granting them more rights and facilities:
The user will have facilities to access their data, rectify it, cancel it or oppose its use (ARCO Law).
The user must give explicit consent for the use of his/her data, and may choose for which purposes he/she will provide his/her information and for which he/she will not.
The user will have the right to be forgotten and to have their data portable in a format that allows for easy transfer (i.e. they can ask for all their data to be deleted or exported).
What new obligations does the company have with the entry into force of the GDPR?
The company is required to carry out a risk analysis and impact architect phone number list assessment. That is, it must analyse the consequences of a suspected leak of the data it stores and specify the risks that exist for the user if this occurs. Any data leak must be made public within 72 hours of its discovery.
In addition, it will be obliged to document the processing operations.
These obligations are accompanied by penalties for non-compliance: specifically, they will be 4% of the annual global turnover or up to 20 million euros, whichever is greater.
How is compliance with the new data protection law monitored?
To ensure compliance with this new regulation, a new figure appears in the company: the Data Protection Officer (DPD or DPO). This new actor will be in charge of safeguarding compliance with the regulation, being the link between the user and the company.
This new figure must prove their knowledge and register with the AEPD (Spanish Data Protection Agency). This figure is not mandatory for all companies, although those organizations that have this person will be positively valued.
But then… what do I have to do to comply with the GDPR law on my website?
Any website must adapt its legal notices to comply with the new regulations. Until now we had three legal notices (legal notice, privacy policy and use of cookies), but from May 25 we will have to get up to date by updating all this information and adding the necessary changes.
The main changes that need to be made:
The user must be given explicit consent for the use of their data.
This consent must clearly specify the use that will be made of them.
Consent will be free and granular, meaning that the user will have the option to accept or reject each of these legal consents, differentiating between the types of data that the company has and the use that will be given to that data.
In practice, this means that the user will find a list with up to 4 types of consent for the use of their data, or in other words, 4 “checks” on a form that the user must “click” to confirm that they agree with the use that will be given to their data:
1 – Personal data: this data must be saved in the database, accepting the privacy check
2 – Use of data for marketing purposes: if we want to use this data for marketing purposes, the user must explicitly accept (check) the “advertising policy”, which will explain what their data will be used for. We must save this consent in our database along with their information.