Our company respects the new General Data Protection Regulation
( GDPR ) which comes into force on May 25, 2018 and replaces the current data protection directive and law in force. Below, its main ideas are presented as well as the complete regulations.
Information to data subjects
The regulation requires information about the legal basis for data processing, data retention period and data transfer. All privacy policies and texts that provide information to data subjects need to be reviewed.
Exercise of data subjects' rights
The regulation obliges to guarantee the exercise of the rights of data subjects. In this way, requests to exercise this right are now monitored and documented with maximum response times, the right to data portability, the deletion of data and the notification of third parties about the rectification or erasure or limitation of treatment requested by the data subjects.
Consent of data subjects
The regulation requires controlling the circumstances in which consent was obtained from data subjects when this is the legal basis for the processing of personal data. There are a set of requirements for obtaining this consent and failure to comply requires obtaining new consent.
Nature of data
The regulation defines the concept of sensitive data that is subject to specific conditions for its processing, namely rights and automated decisions. An example of sensitive data will be biometric data. Depending on the size and context of these specific data treatments, it may be mandatory to appoint a Data Protection Officer, who, if it is not in the company's interest to hire or appoint this new element, our Data Protection team also provides this service as part of our solution.
Documentation and registration
The regulation requires you to keep a documented record of all personal data processing activities. Organizations are required to demonstrate compliance with all requirements arising from the application of the regulation.
Subcontracting
The regulation requires the subcontractor to ensure that it holds all authorizations from data controllers. Subcontracting contracts will have to be revised to include a vast array of information with the aim of protecting data subject information that is often processed by multiple entities without the respective data subjects being aware.
Data Protection Officer (DPO – Data Protection Officer)
The regulation introduces the role of the Data Protection Officer who will have the role of controller of security processes to guarantee data protection in the company's day-to-day operations. Although it is not mandatory for all companies, the existence of it or an external service that guarantees this function can add a lot of value to the processes of fulfilling obligations.
Security and Data Processing Processes
The regulation requires great control of the risk associated with the possible theft of information. This risk control must be guaranteed by effective security measures that guarantee the confidentiality and integrity of data and that prevent accidental or illicit destruction, loss and alterations, or unauthorized disclosure/access of data.
Data protection by design
The regulation highlights the need to evaluate future data processing projects early and accurately in order to assess their impact on data protection and adopt appropriate measures to mitigate these risks.
Security breach notification
The regulation requires that all security breaches that result in a risk to data subjects' rights be reported to the control authority, as well as to the respective data subjects.