Do you know how the new data protection law impacts your company?

The new regulations on data protection came into force on May 25, 2018 and affect all European citizens. Companies that have data on European citizens must comply with this regulation, from small and medium-sized companies to large companies such as Amazon, Apple, Google, and others. How does this data protection affect companies or businesses? Do you have all the requirements to comply with the regulations?

The Data Protection Act is also referred to by its acronym in English (General Data Protection Regulation), and by its acronym in Spanish RGPD. Although this regulation came into force in 2016, companies have had two years to adapt to it. Compliance is now mandatory. The objective of this regulation? Protect people's data, allow citizens to know who has their data, what they have, and how they are used, and act on them more simply and effectively.

The regulations protect personal data, understood as any information related to an identified or identifiable natural person. There are many data that allow it, whether they are from the person himself/herself, such as his/her employment, heritage, education, ideology, health, physical or personal characteristics, or lifestyle habits.

Some of these data are:

• Data about the person himself/herself: Name and surname, address, telephone number, email or email address, date and place of birth, age, ID or national identity document, passport, signature, marital status, nationality, IP address, image or photo of the person, etc.
• Information about your employment: Professional position, address of your job, work email, professional telephone number, etc.
• Data on your financial solvency: Data on tax information, bank details, data on debts, credits, mortgages, etc.
• Data about your ideology: Union affiliation, religion, political affiliation, societies or organizations to which you belong, etc.
• Information about your education: Degrees, certificates, training received, etc.
• Data about your health: Diseases, treatments, health, medical history, psychological or psychiatric information, sexual life, etc.
• Physical characteristics: Skin color, ethnicity or race, particular features, etc.

This regulation requires the express consent of the user so that companies can use their personal data. Until now, the consent was not explicit, but tacit and by default when informing our data. A box appeared with the check marked indicating the transfer of our personal data. Well, this is no longer possible. Now, it is the user who must check it if they agree to give their consent. In addition, children under 16 years of age need parental permission.

What about companies that obtained personal data before the new regulations came into force? Well, they have to renew consent and request it again, so that it is unequivocal, clear, and distinguishable from other matters, accompanied by privacy clauses expressed in clear and understandable language.

This is the reason why we have received so many emails requesting consent from many companies and websites that had our data, although, in some cases, we did not even remember the moment in which we had given it.

Warning! The location of the company does not matter in these cases, since they must have the consent of all users who are citizens residing in the European Union, regardless of whether the company is located in Europe or not. In this way, if your company offers goods or services to European citizens, you must comply with the regulations, regardless of whether your activity involves payment by the user, is an activity in the cloud, or even a search engine or social media.

Companies must be able to ensure the rights that people have over their data. For this, it is necessary that they be stored in an adequate way, so that they can be quickly accessible, and that allows them to respond to the new regulations, which require that they can be modified, deleted, created, and displayed without restrictions.

The new regulation brings with it a series of rights that are worth understanding and that we are going to see in detail, since they interest us from both the user and the company point of view. In addition, it is also accompanied by a series of rights for European citizens.

This is one of the most mentioned rights in all the news. It turns out that there have been several sentences that have forced some companies to delete the data of certain customers and maintain their privacy on the network. From now on, a person can request that their personal data be deleted, applicable to internet search engines.

The Court of Justice of the EU has indicated that, if an Internet user so wishes, they can request the deletion of their personal data, withdrawing their consent to the use of their data. However, it is not possible in all cases, as the right to freedom of expression and information prevails, as well as the public interest.

A user can ask a company what personal data they have and what is the purpose of its use, that is, what personal information they have and what they use it for. In this way, a person can request a free copy of their personal data in electronic format from the company. The company is obliged to supply this information (with a copy of the data or with remote access to the file, for example) within a maximum period of one month from when it is submitted at the request of said data.

This new right allows people to be able to recover personal data from their current provider and transfer it to a new provider to whom they want to change and whose services they want to start receiving. For example, in the case of changing telephone operator, Internet service, or digital service provider, among others. In this way, the client can transfer their data directly to the new company, without having so many problems of freedom in the portability of a service. And the new company can start with the treatment of that customer's data.

If something happens to our data, the user must be notified and informed. If a company experiences data theft, ransomware attack, hacker attack, or simply loses data by mistake, then the company may experience the compromise of the integrity and security of its customers' personal data. In these cases, the law establishes that you must inform the authorities about the security breach that has occurred, within a period of no more than 72 hours. In addition, you must take action on the matter to remedy that incident and protect your customers by communicating directly with them in cases where it directly affects them.

A company that does not want to be involved in such a situation must not only have good protection against ransomware, but also a good security protocol that allows both restoring information and knowing how to act in these problematic and unpleasant situations. For this, it is necessary that the company has previously taken care of making backups to be able to restore the data in the shortest possible time and recover normality as soon as possible.

If the client wishes, they can contact the company or the website that has their data, so they can update it, give more information, or correct any errors.

In addition, you have the full right to choose the specific use for which you provide your data and clarify for which use it is not intended, that is, in which cases you oppose. For example, you may want to allow it to be used for statistical studies, but not for advertising.

Some companies create user profiles in an automated way to evaluate certain particular and personal aspects for marketing purposes, or to make predictions or decisions with negative legal effects for people. In this regard, the law is very clear and prohibits the crossing of data that generates these decisions. Keep in mind that decisions are prohibited, not data processing, as well as decisions uniquely based on this automated data crossing. This right brings a lot of controversy, especially with the rise of Big Data, so it is necessary to inform yourself in detail, law in hand with all its sections, in the event that a company wishes to use these profiles created automatically.

The new European data protection regulation affects companies, which must have a better management of their clients' personal data, as well as be able to respond to each of the points that the new regulation offers. Data protection and management solutions for organizations and companies are essential today to face the LOPD.

This new law comes to provide clarity and protection for all, eliminate or reduce fraudulent acts on the internet, and give control to the owner of the data, that is, the citizen.

Any company that does not want to receive fines or sanctions for breach of the LOPD or GDPR must adapt to these changes in the regulations. But this should not be a burden for companies, since it represents the opportunity to distinguish themselves from their competition by increasing the trust and loyalty of customers in what is known as the three Cs: Confidence, Compliance, and Competitiveness. It is time for companies to better protect their security and their systems, servers, and data.