The Data Protection Day in Europe was celebrated on 28 January, as every year. It is a commemoration date promoted by the European Commission, the European Council, and the authorities of the EU Member States, that seeks to raise public awareness on their rights and duties in this arena. In 2018, the day takes on a special importance as the European Data Protection Regulation will finally be applied after coming into force in 2016.
The date has been chosen to match the signing of Convention 108 on the Automated Processing of Personal Data. This convention was adopted by the European Council on 28 January 1981 -and subsequently extended by means of a Protocol in 2001- with the purpose of complementing the European Convention on Human Rights, which acknowledges the right to privacy and family life, but without expressly elaborating on the right to the protection of personal data. In short, the Convention was born in response to the need to protect personal data as they play an important role in the exercise of other rights, such as freedom of speech and expression or of thought and conscience.
Today, this day goes beyond the European level, as Convention 108 is open for signature to other countries that are not members of the European Council. 51 states have ratified or joined it to date.
Companies and Member States have had a two-year period -which expires on 25 May 2018- to adapt their laws, internal regulations and protocols to this regulation. A race against the clock that, until now and at a legal level in Spain, has crystallized into a Project for an Organic Law on Data Protection already adapted to the Regulation. Its referral to the General Parliament was approved last November and is currently in the process of being amended by the parliamentary groups. Therefore, if the new LOPD is not approved before May 25th, the European Regulation will directly apply.
As we get closer to that date, and considering the ephemeris in question, we would like to recall the main changes brought about by this regulation:
1.-The scope of application. The new regulation is also mandatory for companies not located within the European territory that offer goods and services to citizens residing within the territory.
2.-The definition of consent given by individuals and the ways to obtain by entities, through a clear affirmative act. Entities should be able to demonstrate that the natural person has given their consent.
3.-New rights for individuals: the right to portability, the right to be forgotten and the right to limit treatment.
4.-Greater responsibilities for companies when hiring a supplier in charge of processing personal data and greater transparency and compliance obligations for those involved in the processing.
5.-The promotion of the use of internal codes of conduct in organizations for the implementation of the new regulation and as a means of promoting the data protection culture within the company. These codes will serve as a compliance warranty for companies.
6.-A series of internal compliance measures that will provide the company with insight into the treatments in place, and will enable it to implement technical and organizational measures both preventive ones to minimize the risks related to the treatment of data, as well as monitoring and control measures to ensure that the information is protected. These include treatment registers, risk analysis, impact assessments, implementation of privacy principles from the design stage and by default, report of security breaches to the Agency and, where appropriate, to those affected.
7.-One of these measures is the Data Protection Officer position, who ensures data protection compliance within an organization. To have this position in place is a mandatory requirement for public authorities and bodies, large-scale data processing entities, and for entities processing special data categories. The Data Protection Officer must be independent when making decisions and reports only to the highest hierarchical level. This position is not only for those entities responsible for the data, but also for those in charge of its processing.
8.- Penalties and fines: A complete penalty system is included and penalties are increased, up to 20,000,000 euros or 4% of the total annual turnover of the previous financial year, the highest amount of the two, in the case of very serious offences. Not only those responsible for the data are subject to this framework, but also processors, representatives of entities not located in Spain, certification bodies, and bodies supervising codes of conduct.
These are only the most significant news that apply as of 25 May. Is your company ready to face the new European Data Protection Regulation?