A while ago, the General Data Protection Regulation (GDPR) began to govern and you see, read, listen and talk a lot about this, but do you know what it means?
The Regulation covers a legal space on the use and collection of personal data, in other words, it protects the right to privacy and privacy of European citizens. This is not to say that there are no current laws to support it, but because technology always goes later and still contemplates scenarios in which there are no “common” laws that govern them. It began to rule on May 25, 2018.
This Regulation replaces the Organic Law on the Protection of Personal Data (LOPD, in Spain) and applies to any organization that is in the European Union or for those that use data of European citizens.
What's new in the GDPR?
It gives a new definition to personal data, since it is considered that any information, even indirect that allows to identify a user is also considered a personal data, for example an IP, a user code or a temporary physical location.
The consent of the user who enters a website must be explicit and have a clear legal basis. Without consent, there is no such thing.
What new things does the Regulation have?
- A principle of transparency and information: Any company that stores data is required to notify the authorities and their users if there is a security incident and that it involves an information leak. This should be done within the first 72 hours in which the event occurs.
- Reinforced rights: The GDPR extends its scope with regard to the ARCO (Access, Rectification, Cancellation and Opposition) rights of users.
- Right to Portability of Your Data: Users may require that they give their data to you after the relationship with the entity that has their data has ended.
- Data Protection Officer:Companies are required to implement an internal figure in charge of compliance issues.
What are the implications for companies?
The GDPR will cause companies to comply with an operational methodology and be audited periodically, and will also perform an analysis of:
- Risk impact
- Certifications
- Information processing records
- Communication protocols to the authorities in case of security breaches.
The main question is whether this limits companies from acquiring user data. The answer is: not necessarily.
While we will need to increase previous communication with users and the permissions they give us, we can continue to gain insights from the data that users leave us.
What is the new scenario for users?
This is simply a step forward towards the transition of a digital society into a framework of security and trust, and data analytics reverts to better services to consumers.
For their part, users always have the decision-making power, so they can proactively control what information they will give way. This is how they can proactively exercise their rights.
What's going on in Costa Rica?
If you carry out cross-border activities with european Union countries and also have information from citizens of this community in its databases, it is important that you know these statutes and abide by them.
