Are you prepared for the new legislation on data protection?

On May 25 will enter into force definitively the European data protection (GDPR) Regulation. We say, "definitely" because although it was already existing for two years it will not be until this day whenever obligat

Orio comply with it. Therefore, if you have not done so, it is time for prepare your business for new data protection requirements.

What are the differences between the GDRP and the former data protection act?

There are some differences that you must consider and remedy before the sanctions begin between the new and old rules of data protection.

1 territory of application

The GDPR applied even outside the borders of the European Union provided that the products or services which are offered to belong to the Mainland. This is one of the highlights of the new law, although its control will not be simple.

2. user consent

Although the former data protection act already forced to request the consent of the use of your data to the user, the new legislation leaves clearly specified that they can only obtain the data which are only required to provide the service/product, avoiding thus ask for more information from the device under the same consent. In addition, new consent must be active and verifiable. I.e., it is not possible to take it for granted or not validate it if there is some kind of record for subsequent checks.

3 security advisories

The new law includes three new aspects to take into account referred to the information and the way of presenting it. They are as follows:

-You must specify the legal basis the treatment of data.

-The retention time it applies to those data must be the consumer.

-The information mandatory that you must give the user must be clear and conciselooking for whenever it is understandable.

4. right to oblivion

With this new law users may benefit from the right to oblivion. The consumer may request the Elimination of data in certain circumstances: if they have been obtained illegally, if they are no longer needed or if he withdraws properly consent.

5. right to number portability

Another important novelty of the AGPD is the right to number portability. Its function is to ensure that companies that manage the data of a given are obliged to send them in the correct formats.

6. compulsory data registration

With the entry into force of the LOPD 2018, all companies that work with data of persons must have a record with all of them mandatory.

7 risk studies

The new law establishes that when you make a major change, whether storage, support, or any other similar appearance, a study of risks of viability must be previously for avoid data may be exposed and take the necessary measures to avoid it.

8. data protection delegate

All the companies that engaged in massive data processing or using public databases will have to be necessarily a data protection delegate. Their mission will be monitor all the actions with regard to this issue so that they conform to the regulations in force.

What sanctions I can impose if breaks with the rules?

The penalties for breaking the new law of data they are very high. They can be between the 2% and 4% of the volume of businessand can reach inclusor figures of between 10 and 20 million euros.

How suitable my ecommerce to new data protection legislation?

When a client indicates your e-mail address, register in your store or simply facilitates your IP it is bringing your "personal data". Therefore, if you have a shop you have to meet the GDPR.

The first thing you should do when a new customer to your store through a registration form is notified to the Spanish Agency of data protection (AGDP) files that collect information and any alteration thereof.

To save the data of third parties, online stores must have with your specific consent, as we have indicated in point two of the previous paragraph, also data should be able to be amended and revoked permissions.

Regarding security, files containing personal data must be protected from possible attacks from hackers, and access to information only will be permitted to authorised persons.

To this end, the hosting shop must comply with all legal requirements on securitybeing the most reliable which is in European territory. If you opt for an American hosting, it is mandatory that it is within the list "Safe harbor"

You should also assess whether your store needs to designate a Data protection delegateevaluate if you need to update the privacy policies of your store and, if you use external applicationsmake sure that they comply with the rules.

In terms of your customers, make sure that you are complying with all rights We have described before and that accounts are your consent to process your data.

And finally, remember that the laws require to perform risk studies before carrying out any modification that might put the danger the rights and freedoms of the customers.

Sources:

http://www.agpd.es/portalwebAGPD/temas/reglamento/index-ides-idphp.php

https://www.eugdpr.org