The General Data Protection Regulation, which repeals Directive 95/46/EC (RGPD), enters into force on 25th May in all the Member States of the European Union, a regulation that will soon be complemented by the future ePrivacy Regulation, which is currently under discussion in the European Commission. The new framework gives users more rights and control over their data and requires proactive responsibility from companies in their processing.

A complex scenario that includes possible penalties of up to 20 million euros or 4 percent of annual turnover for non-compliance, and to which many companies have not yet adapted.

In this regard, Ignacio Aparicio, partner of Andersen Tax & Legal, warns that "companies must take the necessary measures to comply with the Regulation and be in a position to demonstrate that they are being applied". The expert, who participated in the conference Are we ready for the imminent implementation of the GDPR? New challenges in the face of European data protection regulations, organised by Andersen Tax & Legal and the Foundation for Stock Market and Financial Studies (FEBF) - held at the Valencia Stock Exchange -, explained that "the design of the measures must be appropriate to the volume of data managed, the sensitivity of the data and the treatment of them".

Rafael Ripoll, Of Counsel of the firm; Isabel Martínez Moriel, head of the Privacy, IT & Digital Business area of the firm, and María García Zarzalejos, a lawyer in this area, delved into some of the key points that companies must comply with to adapt to the new legal context. Who is obliged to do it? Any company, European or not, that targets its services to citizens of the European Union and has access to personal data and metadata. In some cases, operators outside this area will be required to appoint a representative to act in this area. Any company from outside the EU will only have to deal with a single Data Protection Authority as an interlocutor.

Isabel Martínez Moriel stressed that the European Data Protection Regulation reinforces the user's right to his or her data and provides express consent for their use by means of free, unequivocal and precise action and with sufficient information on the processing of the data. Specific databases will be created for the different functionalities.

There is no longer any obligation to register files with the Spanish Data Protection Agency, but a register of internal processing activities must be kept within the company, including the data processed, the data processors, international transfers... It is compulsory for companies with more than 250 employees or those that carry out large processing operations.

Martínez Moriel points out that an evaluation of the personal data processed by the company is necessary to apply measures adapted to those who have been active or in which there is a legitimate interest based on a contractual relationship. The obligation to review and update the user's consent is defined, explaining in a clear and concise manner the purpose of using his or her data.

These include the right to portability, limitation of processing, freedom from automated decisions and, above all, the right to be forgotten.

The new privacy model is based on risk management, depending on whether it is high or standard risk, which is addressed through the design of specific measures to ensure that the processing of data is secure according to its volume and use. In this sense, "although in many cases this is not very private data, the large-scale use of personal data may lead to an impact assessment," warns Martínez Moriel. It is also recommended that processors be chosen - payroll managers, confidential information destruction companies, hosting services, etc. - who adhere to codes of conduct or certifications of the sector.

New obligations are defined for data processors, such as the maintenance of records of processing activities under their own responsibility; cooperation with the relevant authority and the availability of information, upon request, and notification by the controller of any security breach, which must be made to the competent authority within 72 hours of becoming aware of it.

The General Data Protection Regulation introduces the figure of the Data Protection Officer (DPO), who is required for public authorities and bodies, entities that systematically process data on a large scale and for companies that process sensitive data - for example, financial, health, trade union or political data - or on criminal offences. María García Zarzalejos pointed out that "it must be a person who is not likely to incur in conflicts of interest, and therefore could not be a member of the board of directors or those who decide on the processing of the data directly, such as the head of the information technology or marketing department". This figure can be either an internal person of the organization or an external expert, through a contract for the provision of services. The DPO cannot carry out the data protection audit.

Other "recommended" measures to meet privacy requirements, such as data minimisation, protection impact assessments and transparency, were presented by the experts who spoke at the conference. In addition, Ignacio Aparicio referred to "pseudonymization", which implies "anonymizing personal data after the legal storage period, so that they cannot be linked to a person, but can be used for purposes other than those for which they were collected, such as for analytical or statistical purposes.

For further information, please contact: