With this simple decalogue, developed by the VASS consultancy, you will be able to know if your SME is one of the many that are not complying with the new European Regulation of Data Protection (GDPR), which includes sanctions of up to 20 million euros or the amount of 4% of the annual turnover of the previous year.
“The first step to adapt to the regulation is to become aware of why it is important to protect the data. If employers and workers do not have this assimilated aspect, the measures to comply with the GDPR will not be sufficient or effective. “
MAKE A ROUTE SHEET
“Having a document that includes the analysis of the risk and the evaluation of the impact on the data processing that has been done so far is basic to act according to the regulation. It is not easy to elaborate, it requires time and resources, but the reputational and economic price of the sanctions for the breach of the law will always be greater “.
OBTAIN THE ACCREDITATION OF THE COMPLIANCE OF THE GDPR
“The Spanish Agency for Data Protection (AEPD) is the public body responsible for enforcing the regulation. To avoid fines, companies must prove that they have implemented the requirements established by the regulations before this institution. In case the impact evaluation shows a high risk, the AEPD itself will indicate what they should do “.
DEVELOP A RECORD OF ACTIVITIES
“This document specifies what data the company is collecting and for what purpose, as well as the measures and level of security that are applied, the type of file and whether the stored data will be transferred outside the European Economic Area (EEA). ). In this way, the citizen can know at all times what happens with their personal information and where they can exercise their rights. “
“All agencies must review the consents obtained (use of data for commercial purposes, send information by mail, etc.), as well as the confidentiality documents of workers and security to adapt them to the GDPR. It will be necessary to send all the information back to the users and employees for reasons of transparency and, in addition, to do it as soon as possible “.
ADAPT SAFETY MEASURES
“Depending on the results of the risk analysis carried out by the company, the data processors have to adjust the security measures to the reality of their company. This is the only formula to guarantee a good use of the information and to minimize the risk of it being compromised in the event of a cyber attack. “
ESTABLISH NOTIFICATION MECHANISMS
“Any breach of security must be made public within a maximum period of 72 hours. Who should receive the notification? The users, customers and subsidiary companies affected. eye! In case this warning is not made, the victims will be able to denounce and the company will face sanctions “.
CREATE A LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
“The regulation includes six types of legal bases for the treatment of data in Europe: vital interest of the individual, public interest, contractual need, compliance with legal obligations, unequivocal consent of the individual and legitimate interest of the person responsible for data processing. All have the same legal value and companies must adhere to them in order to function correctly. “
IS A DELEGATE OF DATA PROTECTION (DPD) NECESSARY?
“Yes, in 3 situations: in the case of a public body, if the person in charge does a large-scale monitoring and tracking of data and when this information has to do with convictions or crimes of different kinds (for example, sexual violence). If the company complies with any of these assumptions, it must certify the manager as DPD through the AEPD. “
INCORPORATE TECHNOLOGICAL INNOVATION
“Technology is a fundamental ally to facilitate compliance with regulations. The new tools and solutions that experts in the field put on the market not only allow to incorporate effective security measures, but also simplify and speed up the extraction and analysis of information.