The new General Data Protection Regulation entered into force in May 2016 and will be applicable from 25 May 2018. In this transitional period and although the provisions of Directive 95/46 and national rules remain in force. who apply it, data controllers and data controllers must prepare and take the necessary measures to be able to comply with the provisions of the new Regulation at the time it is applicable.
It mainly emphasizes:
- Reduction of the age of consent. The minimum age for consenting to the processing of your personal data in the field of information society services (for example, social networks) is lowered to 16 years. Anyway according to EEMM it is allowed to reduce up to 13 years. In Spain the minimum age is 14 years.
In the case of companies that collect personal data, the consent must be verifiable and the privacy notice must be written in a language that children can understand.
- Active responsibility, prevention by data-processing organizations. Companies must take measures to ensure that they are in a position to comply with the principles, rights and guarantees set out in the Regulation. A number of measures have been planned for this:
1) Promotion of codes of conduct and certification schemes
2) Data protection from design
3) Default data protection
4) Security measures
5) Maintaining a record of treatments
6) Carrying out impact assessments on data protection
7) Appointment of a data protection delegate
8) Notification of data security breaches that will be communicated without delay
- Month commitment to the protection of data of organizations, public or private. It does not involve a greater burden but a different way of managing data protection than has been used so far. In view of the above measures for this purpose, it is necessary for all organizations that process data to carry out a risk analysis of their treatments in order to determine which measures should be applied and how to do so.
- Consent and risk assessment tools. Work is underway to develop measures to facilitate the identification and assessment of risks, especially in relation to SMEs dealing with the most common data in business management.
According to the regulations, consent must be free, informed, specific and unequivocal. For this, documents such as the declaration of the interested parties, records, authorizations, sobretot and above all that it is verifiable will be required.
THECatalan Data Protection Agency offers information on the most relevant aspects of the content and the process of entry into force of the new regulation.