On the 25th of May, the new General Data Protection Regulation (RGPD) comes into force, applicable to Spain and the rest of the countries in the European Union.
The RGPD modifies certain aspects of the current regime and contains new obligations for both Public Administrations and companies of all kinds dealing with data of natural persons.
As a starting point it will be necessary to carry out an in-depth study of the data processing activities that are carried out and an analysis of the risk that they imply for the rights and freedoms of the interested parties. Based on this, the most appropriate technical and organizational measures must be adapted to guarantee and prove that the data processing carried out by each organization is in accordance with the new regulations.
In addition, in cases where the treatment may entail a high risk for the rights of the interested parties, what the Regulation calls the impact evaluation will have to be carried out.
There can be no data processing without a legitimate purpose. This purpose must be clearly identified and documented. The interested parties must receive detailed information about the purpose of the treatment and the rights of access, rectification, deletion, opposition, portability of the data and, in certain cases, the right to limitation of treatment, must be fully guaranteed. In addition, the RGPD requires that the security failures of the data be notified to the Spanish Agency for Data Protection within a maximum period of 72 hours.
The figure of the Data Protection Delegate created by the RGPD is also new, whose designation will be mandatory in certain circumstances.
And finally, it is worth highlighting, that the RGPD have set out substantial fines to be paid of up to 20 million Euros and 4% of the total annual turnover.
We want to help you to adapting to this new regulation by showing you the roadmap to follow and establishing the most appropriate data protection policies for your company.
