In his last article, Álvaro Gómez Vieites explains the main aspects of the General Data Protection Regulation (GDPR) approved on April 27, 2016., which is going to May 25th 2018.
Álvaro Gómez is an associate security consultant in Inprosec and a professor at several Business Schools and Universities (IESIDE, ESEUNE, ESIC-ICEMD, UNED). He has also the author of 31 books and numerous articles about ICT, Information Systems, Digital Marketing, Electronic Commerce and Computer Security.
The GDPR enshrines the Fundamental Right to Data Protection in the EU and applies to the processing of personal data of individuals In this sense, it reinforces the requirement of the consent of the interested party, which must be free, specific, informed, and unequivocal, with the burden of proof on consent given to the controller. Tacit consent ceases to be valid, so companies must review the procedures that have been followed to date to request the consent of the interested parties.
Regarding the citizens rights, the GDPR establishes the right to be informed about the processing of personal data, the right of access, rectification and delete, the right to limitation and opposition to treatment, as well as the right to the portability of personal data.
As for the security measures, the GDPR establish as mandatory that every security breach of personal Data must be reported to the competent authority of each State Member within a maximum of 72 hours, indicating the nature of the violation of the data, Security of personal data, categories and the approximate number of affected stakeholders.
It is also necessary to highlight the introduction of the the Data Protection Delegate for certain types of organizations (Public Institutions, organizations carrying out systematic processing of personal data on a large scale or special categories of personal data…)
The non-compliance of the content of the GDPR, will lead to Administrative fines up to 20,000,000 Euros or, in the case of business, the 4% of the total turnover of the preceding financial year. The nature, gravity, duration of the infringement will be taken into account in order to determine the fine, as well as the number of interested affected, the damages suffered and the degree of Intentionality or negligence.