30 April 2018


Rousaud Costas Duran emphasises proactive responsibility in order to comply with the GDPR

30 April 2018

On 25 May, the new European data protection regulation, the General Data Protection Regulation (GDPR), will enter into force. It will affect a large number of European companies and is based on the principle of proactive responsibility. Barcelona Tech City held an event at CaixaBank’s DayOne centre in which Jesús Martrat, a partner in the privacy area at Rousaud Costas Duran, a data protection specialist, offered some recommendations that startups should take into account in order to deal with this new regulation.

As a starting point, Martrat recommended beginning by “verifying whether the company really deals with personal data, which is information about an identified or identifiable individual”.

To do this, it is important to create a diagram that includes:

  • Origin of the data, use and transfer to third parties
  • Data input/medium formats
  • Access and permissions
  • Transfer methods
  • Locations

“With this map we can write some ‘compliance’ documents that reflect your business model”, explained Martrat. In case of any doubt, it is recommended to turn to official sources such as the Spanish Data Protection Agency, which has published a Regulatory compliance checklist. This is a document with which organisations can identify and verify that they are complying with the requirements established by the General Data Protection Regulation.

Principles of the regulation

The regulation is based on the basic principle of proactive responsibility, and the company must decide how to comply with it. The regulation does not tell you what to do; it is a standard related to goals. As a new development, a principle of transparency is established, with clear language on privacy policies and messages.

  • Responsibility
  • Fairness, loyalty and transparency
  • Purpose limitation
  • Data minimisation: only those that are needed
  • Accuracy of database data
  • Limitation of the storage period: strict time limit and user’s right to know it
  • Integrity and confidentiality
  • Data protection from the outset and by default

Tasks to comply with the GDPR

According to the Spanish Data Protection Agency (AGPD) the following actions are essential: Designation of the data protection officer; recording of processing activities, which is the internal document describing what data is processed and for what purpose; identification of the purposes and legal basis, including user consent and legitimate interest; review of security measures; assessment of which processing requires an impact assessment on data protection, which is an internal audit carried out by a company on technological processes to assess the risks involved in the new platform. And, in addition, to adapt the right to information forms; to create and adapt the privacy policy, which is what the user sees, for example, on the website.

Finally, the AGPD recommends documenting. “Generating documents is a basic requirement. Comply with the GDPR and be able to prove it. Internal policies generate good compliance. The language of privacy policies should be simplified, it should be clear and simple”’, says Martrat.

The principle of transparency requires information on: who, what, for what purposes; what rights the user has; offering him/her several access routes. Forms cannot contain abusive clauses; this could lead to more sanctioning. National provisions must also be taken into account; local laws will complement this regulation, and in Spain there will be the LOPD, which may contain specific provisions. “In terms of policy, it is important to train internal staff who process data in your company, it is an obligation and an important area of ‘compliance’. As for supplier policies, define the standards you want them to meet and include them in the contracts as collateral”, recommends Rousaud Costas Duran’s specialist.

Data processing contract (DPA)

The AGPD has created a guide where you can see which points you need to comply with. Consent, in the previous legislation, had to be free, specific and informed. The GDPR now adds that consent must be demonstrable and must be an affirmative statement. Pre-ticked boxes, for example, are no good. In the case of the consent of minors, this will be from the age of 16, and from 13 in some national legislation. The position of data protection officer in a company is mandatory in some cases and recommended in almost all cases. This is the data protection compliance officer. It is recommended that this officer be supported by a team that will be responsible for making decisions in crisis situations.

Data protection transfer: there is a principle of prohibition of transfers to third countries which do not ensure an adequate level of protection. In Spain, the obligation to register in the AGPD files disappears and is replaced by the register for processing activities, and it is very important to have it ready before 25 May. As far as information security is concerned, it is essential to seek advice from good experts. The wording of the new regulation says that you have to have security measures that are suited to the risk. You must verify your security systems and set up security systems that guarantee the privacy of your data.


Penalties and cyber attacks

Penalties will be divided into serious and very serious, depending on the level of severity, the duration of what has happened, the damage caused, the intentionality or negligence, cooperation with the authorities or whether codes of conduct are adhered to. The law requires you to give an official reply to users within one month or the data subject can go directly to the Data Protection Agency.

“A company may be faced with a direct sanction proposal. This is why it is important to be transparent. The more you encourage users to talk to you if they have any doubts or complaints, so incidents can be monitored better”, remarked Jesús Martrat from Rousaud Costas Duran.

On the other hand, he indicated that in cases of hacking or cyber attacks in which data could be affected, there is a 72-hour period to inform data protection agencies. Missing data and actions taken must be reported, all with documented decisions. Likewise, the GPDPR also contemplates that interested parties be made aware of what has happened with their data. And you, are you ready for the GDPR yet? You have until 25 May.   Websites of interest