Is Your Business Ready for the New Data Protection Legislation?
Posted: Mon Dec 23, 2024 9:16 am
Article updated 3 years ago by NewsMDirector
European Union data protection
TABLE OF CONTENTS
10 keys to GDPR compliance
1. «Consent, affirmative acceptance»
2. “Privacy by design and by default”
3. «Risk Analysis»
4. “Record of processing activities”
5. “Notification of a security breach”
6. “New rights for data subjects”
7. “Data Protection Officer”
8. “Higher level of information and transparency”
9. “One-stop shop”
10. “New sanctioning regime”
10 keys to GDPR compliance
1. «Consent, affirmative acceptance»
This principle changes, now consent must be a manifestation that entails an unequivocal acceptance by the user, either through a statement or through an affirmative action. Silence is no longer considered positive, business to business mailing lists poland tacit consent disappears. Likewise, pre-checked boxes will under no circumstances be valid forms of obtaining consent.
2. “Privacy by design and by default”
From the initial planning stage of a project, it is necessary to consider whether it has implications for data protection. Early detection of possible processing that impacts personal data. Joint vision and coordinated actions between legal, organizational, business and IT areas.
3. «Risk Analysis»
The obligation to carry out data protection impact assessments is born . The currently known security levels (basic, medium and high) will disappear. Now the measures will depend on the result of the assessments, based on the risk to be managed, which will require the implementation of mechanisms and procedures to protect the data.
4. “Record of processing activities”
With the GDPR, it will not be necessary to register files in the General Data Protection Registry; on the contrary, organizations will have to have an internal record of the different personal data processing they carry out.
5. “Notification of a security breach”
Security breaches must be notified to the data protection authorities, in the case of Spain, to the Spanish Data Protection Agency, within a maximum period of seventy-two hours.
6. “New rights for data subjects”
The obligation to comply with the rights that we already know will continue, such as access, rectification, cancellation (now called deletion), and opposition; to which two new rights have been added, the limitation of processing and the portability of data. The data controller is obliged to respond to the interested party's requests without undue delay and no later than within one month of receiving them.
7. “Data Protection Officer”
A DPO is required when the processing is carried out by a public authority or body (except courts and tribunals); When the processing requires regular and systematic observation of data on a large scale; When the processing concerns special categories of personal data. Outside of the cases listed by law, it is up to the controller to decide whether to have a DPO.
8. “Higher level of information and transparency”
In addition to the identity of the controller, the purposes of processing and information on the exercise of rights, the contact details of the data protection officer, the legitimate interests of the controller or a third party, the intention to transfer personal data, the period for which the personal data will be stored, the existence of new rights of the interested parties, the existence of automated decisions, such as profiling, will be added.
9. “One-stop shop”
It will allow any citizen to file a complaint with the data protection authority of their place of residence, regardless of the address of the company being reported.
10. “New sanctioning regime”
Penalties for non-compliance are substantially increased. Administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to up to 4% of the total annual global turnover of the previous financial year, with the highest being chosen for non-compliance with the basic principles, including the conditions for consent and special data processing, rights of data subjects and guarantees for data transfer.
European Union data protection
TABLE OF CONTENTS
10 keys to GDPR compliance
1. «Consent, affirmative acceptance»
2. “Privacy by design and by default”
3. «Risk Analysis»
4. “Record of processing activities”
5. “Notification of a security breach”
6. “New rights for data subjects”
7. “Data Protection Officer”
8. “Higher level of information and transparency”
9. “One-stop shop”
10. “New sanctioning regime”
10 keys to GDPR compliance
1. «Consent, affirmative acceptance»
This principle changes, now consent must be a manifestation that entails an unequivocal acceptance by the user, either through a statement or through an affirmative action. Silence is no longer considered positive, business to business mailing lists poland tacit consent disappears. Likewise, pre-checked boxes will under no circumstances be valid forms of obtaining consent.
2. “Privacy by design and by default”
From the initial planning stage of a project, it is necessary to consider whether it has implications for data protection. Early detection of possible processing that impacts personal data. Joint vision and coordinated actions between legal, organizational, business and IT areas.
3. «Risk Analysis»
The obligation to carry out data protection impact assessments is born . The currently known security levels (basic, medium and high) will disappear. Now the measures will depend on the result of the assessments, based on the risk to be managed, which will require the implementation of mechanisms and procedures to protect the data.
4. “Record of processing activities”
With the GDPR, it will not be necessary to register files in the General Data Protection Registry; on the contrary, organizations will have to have an internal record of the different personal data processing they carry out.
5. “Notification of a security breach”
Security breaches must be notified to the data protection authorities, in the case of Spain, to the Spanish Data Protection Agency, within a maximum period of seventy-two hours.
6. “New rights for data subjects”
The obligation to comply with the rights that we already know will continue, such as access, rectification, cancellation (now called deletion), and opposition; to which two new rights have been added, the limitation of processing and the portability of data. The data controller is obliged to respond to the interested party's requests without undue delay and no later than within one month of receiving them.
7. “Data Protection Officer”
A DPO is required when the processing is carried out by a public authority or body (except courts and tribunals); When the processing requires regular and systematic observation of data on a large scale; When the processing concerns special categories of personal data. Outside of the cases listed by law, it is up to the controller to decide whether to have a DPO.
8. “Higher level of information and transparency”
In addition to the identity of the controller, the purposes of processing and information on the exercise of rights, the contact details of the data protection officer, the legitimate interests of the controller or a third party, the intention to transfer personal data, the period for which the personal data will be stored, the existence of new rights of the interested parties, the existence of automated decisions, such as profiling, will be added.
9. “One-stop shop”
It will allow any citizen to file a complaint with the data protection authority of their place of residence, regardless of the address of the company being reported.
10. “New sanctioning regime”
Penalties for non-compliance are substantially increased. Administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to up to 4% of the total annual global turnover of the previous financial year, with the highest being chosen for non-compliance with the basic principles, including the conditions for consent and special data processing, rights of data subjects and guarantees for data transfer.