Two months after the implementation of the General Data Protection Regulation across the European Union, many organizations are considering what specific measures they should take to comply with the regulations, which will be applicable from 25 May onwards. For this reason, PONS IP held a meeting to review the main news on the GDPR and its practical application in various types of companies. José Carlos Erdozain, legal director at our firm, and Paula García, a lawyer expert in data protection, clear the doubts of the audience, as well as of those who followed us live on YouTube.
Among the changes introduced by the regulation, the principle of accountability for all organizations processing personal data, irrespective of their size, was highlighted. Also, the new definition of the consent of individuals when collecting their data, requiring a clear affirmative action on their part. “Companies will need to be able to prove that the user has said ‘yes’. We will have to analyze if in all cases this means checking a box or if there will be situations that can be interpreted as express consent,” Garcia said.
Erdozain addressed one of the questions that concerns employers the most: Am I obliged to renew the consents already obtained for the processing of data? Our legal director believes that prudence should be prioritized, so it should be checked whether the previous consents comply with the new regulations. If this is not the case or when in doubt, it recommends renewing them to avoid sanctions, which have also been tightened by the new regulation. “We must think that the GDPR no longer admits silence or inaction by individuals as a form of consent,” he said.
They also discuss one of the most striking measures of the Regulation: The need to implement a Data Protection Officer in some companies. But, as the speakers made clear, the DPO will not be necessary in all cases. Public authorities and bodies (with the exception of courts), as well as organizations that process special categories of data on a large scale, will be obliged to appoint one. Among the companies considered as “special cases” as regards the DPO position, the case of advertising and commercial prospecting entities, health centers, electronic communication networks and services, insurance companies, electricity distributors and marketers, and professional associations, among others, were highlighted.
The speakers were also reminded that the Regulation introduces new rights, such as the right to be forgotten, the right to data portability and the new regulation of ARCO rights: Access, Rectification, Cancellation (now defined as deletion) and Opposition rights. All these new developments imply a greater dynamism and importance imprinted on Data Protection in the EU, forcing entities to take it into account in the design of their structural and business plans. In addition, the regulation also applies to undertakings not located in the territory of application if they offer goods and services to citizens resident in such territory. There are still some aspects to be clarified which, according to the experts, will be developed by the future Spanish Organic Law on Data Protection, which will presumably not be approved before the application of the GDPR.
In short, and as our experts remind us, the new RGPD requires the data protection culture to become an intrinsic element of all business activities, demanding greater responsibility and effort from everyone.