Final countdown for the implementation of the European Regulation of Data Protection

On 25 of May the General Data Protection Regulation (GDPR) will be implemented. From then onwards, the GDPR will be the reference standard, and the current regulations of each Member State will be repealed. Therefore, in Spain, Organic Law 15/1999, on Data Protection will be repealed. Many of the concepts and mechanisms contained in the GDPR are already foreseen in a very similar manner in the regulation currently in force. For this reason, companies that are already complying with the current regulations, create a good premise for progress towards a correct implementation of the GDPR. However, the GDPR does modify certain rules of the current system and includes new obligations. Hereafter we refer to some of the ones that we consider to be the most relevant.

Responsibility principle

From now on those who process personal data will no longer have to record the personal data files in the Data Protection Agency, nor do they need to have a security document. The GDPR does not require to comply with specific formalities, but it permits each company to have the freedom to organize itself as it deems convenient in order to comply with the GDPR. To that end, they must conduct impact assessments, analyzing the possible risks when using personal data, depending on which data is being processed, how they will be processed and for what purpose. It is convenient that all these processes are documented, to be able to prove adequate compliance with GDPR.

Information and consent

In order to achieve greater transparency, the information that must be provided to the data subject whose data are going to be used must be more complete, concise and expressed in a plain language. As regards the consent given by such data subject, it will now have to be “unambiguous”, meaning, by a clear affirmative action of the data subject. Tacit consent will no longer be acceptable. When collecting health data, or biometric or genetic data, such consent will also have to be explicit.

Practical consequences

Although companies might be currently meeting their obligations regarding data protection, it is highly advisable that they review their course of action in this field. In particular, it is advisable to review the content of the information clauses and the way in which the consents are being obtained. It is also convenient to review the privacy policies and the specific procedures that the companies might have implemented so that they might, where necessary, adapt them to the requirements of the GDPR.

Some aspects of the GDPR will be supplemented by the new data protection law which will be approved in Spain in the coming months. We will refer to these matters future Cápsulas.