An important regulatory change regarding data protection is approaching, and it is likely that you have received various information about it. Until next May 25, the data protection regulations required in Spain will continue to be regulated by two basic regulations: Organic Law 15/1999 of December 13 on the Protection of Personal Data and Royal Decree 1720/2007 of December 21, which approves the Regulations for the development of Law 15/1999. Well, as we say, starting next May 25, the new Organic Law, currently in process, and EU Regulation 2016/679, General Data Protection, will be applied instead.
These regulations establish new requirements. Likewise, it provides important sanctions in the event of non-compliance with it.
To comply with this EU Regulation, the new requirements must be taken into account, among which the following should be highlighted:
- Data protection audit.
Before updating the policies, protocols and texts relating to the processing of personal data that we have in the company, the degree of compliance with data protection regulations must be audited. To do this, it is required that the audit team be made up of professionals with legal and computer knowledge.
2. Duty of information.
This new Regulation expands the information that must be communicated at the time of collecting personal data, and thus, to the previous requirements (purpose, recipient of files, obligation or non-delivery and consequences, rights of the interested party and responsible identity), the of:
- legal basis of the treatment
- maximum time that data will be kept
- identification, if applicable, of the Protection Delegate
- whether or not there will be international data transfer
- right to file a claim
- existence or not of automated decisions
The new rights that must be reported with the new Regulation are those of access, rectification, deletion, limitation, portability and opposition.
3. Treatment Manager Contracts.
The contracts that companies maintain with third parties for the processing of data for which they are responsible must be in writing, detailing the instructions from the person responsible to the person in charge in relation to security measures, subcontracting regime, confidentiality and destination of the data after end the service.
4. Risk analysis.
All companies must analyze computer vulnerabilities and potential security breaches in order to implement the best computer solutions to prevent, block or neutralize attacks. In this way, the company must establish a surveillance system that carries out periodic reviews.
The Regulation we are discussing makes companies responsible for identifying the security measures that they will apply in the processing of the data they carry out, determining that they must be appropriate to the risk that exists on the different files. Therefore, the company needs to carry out a risk analysis.
5. Impact evaluation.
For certain companies, an Impact Assessment is required when it is likely that a type of processing, especially if it involves the use of new technologies, entails a high risk for the rights and freedoms of natural persons. This assessment requirement is aimed at companies that carry out large-scale processing of special categories of data (criminal offences, public access, profiling, etc.)
6. Data Protection Officer (DPO).
The Regulation establishes the obligation for certain companies to have a DPO who must have specialized knowledge of law and practice in matters of data protection, with a minimum requirement of four years’ experience. This Delegate will have the functions of managing and controlling data protection within the company as well as acting as a liaison with the Spanish Data Protection Agency. The companies required to have a DPO are, in addition to public bodies, those that process special categories of data on a large scale, or carry out regular and systematic observation of interested parties.
If you need any clarification, we are at your disposal.