Data Protection Act

How the new Data Protection Act 2018 affects

On May 25, 2018 comes into force compulsorily the new European regulation affecting Protection Act Data, or LOPD (by Organic Law on Data Protection) although the final version of the law is still pending in the Spanish parliament .

Who is affected by the new law: All entities that deal with personal data and are within the European Union. That is, if you're in Europe and you have a website where you offer a newsletter subscription and therefore recabas the name and email to your subscribers, it affects you. If you have customers, employees and suppliers ... then you hesitate and neither affects you directly.

Most clients and students ask me questions about it, so here I prepared a brief summary of the 7 most important points you should know about the new law.

What are the new obligations of the Data Protection Act

1. Accountability: you must notify the Spanish Data Protection Agency, within 72 hours any security breach affecting personal data. And if the data are of a sensitive nature (sexual orientation, health, religion, etc.) you must also notify affected users. But no longer you need to register files on the website of the Agency.

2. Proactive Responsibility: You should prevent any incident that may lead to a breach in the security of your data. For example, the machines which are data must have login and password, you must have the updated operating system, should have antivirus, etc. If you have more than 250 employees have to keep track of treatment activities (my advice is that if this is your case, you put in the hands of a specialist).

3. The Data Protection Officer: If you have sensitive data (my advice is to not have them) you need from a security in your company that will be responsible or in charge of supervising compliance. This was already the case with the old regulation, but now you have the name "Data Protection Officer".

4. The Right to be Forgotten: 5. Right to Portability:

5. Right to Portability: This is new and it is a good idea! Users who have provided their data digitally someone who is recovering can request this data in a format that allows the transfer ... will be practical to change doctors!

6. Changes in obtaining consent: el reglamento indica que el consentimiento debe ser libre, informado, específico e inequívoco. Aquí es cuando empiezan los problemas… porque en la Agencia de Protección de Datos indican que en todos los formularios de captación de datos hay que poner una parrafada de 150 palabras. Y debes poder demostrar que los usuarios te han cedido los datos libremente e inequívocamente. No te preocupes, en el menú de administración de los programas de gestión de emails tipo Mailchimp te indican la fuente de los datos y la fecha en la que se incorporaron y por lo tanto, tienes un registro y una prueba de su suscripción. Además, como los usuarios deben confirmar su email (doble opt-in) no hay posibilidad de que se suscriban sin darse cuenta. Esto está pensado para los que compran datos personales. Sobre las coockies, la normativa sigue igual, necesitas el consentimiento del usuario la no acción no puede ser considerada una aceptación.

7. Data processing by third parties: If you use an agency to pay payroll or a company marqueting makes your newsletter, you need a certificate from the company in which you are instructed to comply with regulations. Before you needed a contract ... a certificate is easier to obtain.

To facilitate the work and have all the documentation, the Spanish Agency for Data Protection You have created a website that automatically generates documentation you all you need (including paragraphs of forms, certificates for your agency, etc.). The truth is that the tool is fine. This is the link: facilitates RGPD. I recommend you use it.

As you can see it is not as drama as he is painted, make sure you meet the requirements, take heed documentation of the Agency if ever you need it and continues to work as usual.

Mailchimp why I cited is the newsletter sending program that I use and I teach in class emailmarketing, but most programs work the same, so check yours what makes for lighter.

I hope this article has been helpful.

Specialist Digital Marketing strategy. Providing training and consulting for over 15 years.

3 replies
  1. Angel
    Angel says:

    Hi Montse,
    My name is Angel Ivanov and participate in ongoing SEO Web Myriad natural position. I have two websites through WordPress which do not have as part collect and process personal data. I brought to practice in the training process. I have no business nor am autonomous.
    Please, tell me if I could obligations in this respect the new rules GDPR? Does the policy of cookies always have to notify and warn?
    As I entered the panic remove contact pages and change the privacy to private rather than public although the two websites are indexed.
    Thank you
    Greetings,
    Ángel Ivanov

  2. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Angel, excuse the delay, I did not see the message.
    Oye, sí tienes obligaciones… en la web debe quedar claro que tu (con nombre, apellidos y DNI) eres el propietario del sitio web. Si recoges emails para una suscripción a un posible boletín, también debe quedar claro que te harás responsable de la base de datos y que tus usuarios pueden ejercer sus derechos ARCO. Sobre las cookies, igual… necesitas comunicar que las utilizas (pon el plugin para wordpress Cookie Low). Si utilizas Google Analytics o tu web está hecha con un gestor de contenidos siempre tendrás cookies de terceros así que sí, siempre tienes que notificarlo.
    Do not worry, it is not so complicated to have such obligations ... just make sure you notify all there is to notify users.
    I go all right
    a hug
    Montse.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *