Start of main content

The GDPR represents a change in companies towards a risk management model based on proactive responsibility

| News | Privacy, IT & Digital Business

Andersen Tax & Legal holds a conference on European data protection legislation in Seville

20th June 2018.- The General Data Protection Regulation (GDPR) implies a change from the current formalist model to a new compliance model, of risk management in which exhaustive measures must be established since it is based on the proactive responsibility of the company.

The GDPR is already a reality, and now what? The European data protection regulation beyond 25 May, organised by Andersen Tax & Legal, together with Caja Rural del Sur and Cesur in Seville, with the participation of José Manuel Pumar, Andersen Tax & Legal Partner and director of the Seville office; Rafa Ripoll, Andersen Tax & Legal Of Counsel; Isabel Martínez Moriel, head of the Privacy, IT & Digital Business area of the firm, and María García Zarzalejos, lawyer of the same area, as well as Guadalupe Aragoneses, Head of Legal Advice and Regulatory Compliance at Caja Rural del Sur.

During her speech, Isabel Martínez Moriel stressed that the purpose of the Regulation is to adapt to the digital world to protect the user and that companies can incorporate internal processes that are equivalent in all EU States. Specifically, she indicated that the Regulation incorporates new rights for the user, such as the right to forget, to limit processing or to portability, and implies greater protection for users through proactive responsibility on the part of the companies in charge of processing, which must adopt the necessary measures to comply with the Regulation and be in a position to demonstrate that they are being applied.

Thus, he listed some of these measures such as the registration of processing activities, the collection of express consent for the use of data, the configuration and development of technology by design always adopting the most protective of data, the preparation of impact assessments, the appointment of a Data Protection Officer (DPO), greater flexibility and transparency, or pseudominization, which implies anonymizing personal data after the legal storage period, so that they cannot be linked to a person but can be used for a different purpose for which they were collected, such as for analytical or statistical purposes.

For Andersen Tax & Legal's Head of Privacy, IT & Digital Business, organizational measures, such as employee training, process logging, among others, are just as important as technical measures to minimize risks in data processing.

"We are moving towards the adoption of regulated codes of conduct and certification mechanisms, so that processes can be standardised and the control bodies, such as the Spanish Data Protection Agency (AEPD), can certify the measures adopted as the correct ones", said Isabel Martínez Moriel, who added that in the case of suppliers, companies are increasingly requesting ISO certifications in order to be aware that their suppliers comply with the regulations, since the companies that contract the service have the obligation of special diligence for those in charge of processing.

For her part, María García Zarzalejos has addressed the figure of the Data Protection Delegate, obliged for authorities and public bodies, entities that systematically process data on a large scale and finally, for companies that process sensitive data (on health, trade union or political affiliation, etc.) or on criminal offences. In his speech, he indicated that he must be a person who is not susceptible of incurring conflicts of interest, so he could not be a member of the board or those who decide on the treatment of the data directly, such as the head of the IT or marketing department. He also pointed out that this figure could be either an internal person within the organisation or an external person through a contract for the provision of services.

José Manuel Pumar recalled that the GDPR is a European directive directly applicable to all companies and public bodies located in the European Union or that process personal data of people who are in the EU, with penalties that can reach 20 million euros or 4% of annual turnover, while Rafael Ripoll explained that the regulation seeks to approximate the laws of the 28 Member States and takes "another step towards the practical uniformity of their jurisdictions".

End of main content