How the new Data Protection Act 2018 affects

Share on whatsapp
Share on linkedin
Share on facebook
Share on twitter
Data Protection Act

Content of this article

On May 25, 2018 comes into force compulsorily the new European regulation affecting Protection Act Data, or LOPD (by Organic Law on Data Protection) although the final version of the law is still pending in the Spanish parliament .

Who is affected by the new law: All entities that deal with personal data and are within the European Union. That is, if you're in Europe and you have a website where you offer a newsletter subscription and therefore recabas the name and email to your subscribers, it affects you. If you have customers, employees and suppliers ... then you hesitate and neither affects you directly.

Most clients and students ask me questions about it, so here I prepared a brief summary of the 7 most important points you should know about the new law.

What are the new obligations of the Data Protection Act

1. Accountability: you must notify the Spanish Data Protection Agency, within 72 hours any security breach affecting personal data. And if the data are of a sensitive nature (sexual orientation, health, religion, etc.) you must also notify affected users. But no longer you need to register files on the website of the Agency.

2. Proactive Responsibility: You should prevent any incident that may lead to a breach in the security of your data. For example, the machines which are data must have login and password, you must have the updated operating system, should have antivirus, etc. If you have more than 250 employees have to keep track of treatment activities (my advice is that if this is your case, you put in the hands of a specialist).

3. The Data Protection Officer: If you have sensitive data (my advice is to not have them) you need from a security in your company that will be responsible or in charge of supervising compliance. This was already the case with the old regulation, but now you have the name "Data Protection Officer".

4. The Right to be Forgotten: 5. Right to Portability:

5. Right to Portability: This is new and it is a good idea! Users who have provided their data digitally someone who is recovering can request this data in a format that allows the transfer ... will be practical to change doctors!

6. Changes in obtaining consent: el reglamento indica que el consentimiento debe ser libre, informado, específico e inequívoco. Aquí es cuando empiezan los problemas… porque en la Agencia de Protección de Datos indican que en todos los formularios de captación de datos hay que poner una parrafada de 150 palabras. Y debes poder demostrar que los usuarios te han cedido los datos libremente e inequívocamente. No te preocupes, en el menú de administración de los programas de gestión de emails tipo Mailchimp te indican la fuente de los datos y la fecha en la que se incorporaron y por lo tanto, tienes un registro y una prueba de su suscripción. Además, como los usuarios deben confirmar su email (doble opt-in) no hay posibilidad de que se suscriban sin darse cuenta. Esto está pensado para los que compran datos personales. Sobre las coockies, la normativa sigue igual, necesitas el consentimiento del usuario la no acción no puede ser considerada una aceptación.

7. Data processing by third parties: If you use an agency to pay payroll or a company marqueting makes your newsletter, you need a certificate from the company in which you are instructed to comply with regulations. Before you needed a contract ... a certificate is easier to obtain.

To facilitate the work and have all the documentation, the Spanish Agency for Data Protection You have created a website that automatically generates documentation you all you need (including paragraphs of forms, certificates for your agency, etc.). The truth is that the tool is fine. This is the link: facilitates RGPD. I recommend you use it.

As you can see it is not as drama as he is painted, make sure you meet the requirements, take heed documentation of the Agency if ever you need it and continues to work as usual.

Mailchimp why I cited is the newsletter sending program that I use and I teach in class emailmarketing, but most programs work the same, so check yours what makes for lighter.

I hope this article has been helpful.

14 replies
  1. Angel
    Angel says:

    Hi Montse,
    My name is Angel Ivanov and participate in ongoing SEO Web Myriad natural position. I have two websites through WordPress which do not have as part collect and process personal data. I brought to practice in the training process. I have no business nor am autonomous.
    Please, tell me if I could obligations in this respect the new rules GDPR? Does the policy of cookies always have to notify and warn?
    As I entered the panic remove contact pages and change the privacy to private rather than public although the two websites are indexed.
    Thank you
    Ángel Ivanov

  2. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Angel, excuse the delay, I did not see the message.
    Oye, sí tienes obligaciones… en la web debe quedar claro que tu (con nombre, apellidos y DNI) eres el propietario del sitio web. Si recoges emails para una suscripción a un posible boletín, también debe quedar claro que te harás responsable de la base de datos y que tus usuarios pueden ejercer sus derechos ARCO. Sobre las cookies, igual… necesitas comunicar que las utilizas (pon el plugin para wordpress Cookie Low). Si utilizas Google Analytics o tu web está hecha con un gestor de contenidos siempre tendrás cookies de terceros así que sí, siempre tienes que notificarlo.
    Do not worry, it is not so complicated to have such obligations ... just make sure you notify all there is to notify users.
    I go all right
    a hug

  3. Juan Antonio Castro
    Juan Antonio Castro says:

    Hello Montserrat,
    We are a group of self-employed and intend to mount a non-profit organization to manage the administration demands, my question is, the association also has obligations to Protecon data with its partners?
    Thanks greetings.

  4. Elisabeth Martinez Escala
    Elisabeth Martinez Escala says:

    With this new law, it is permissible to leave your name in oppositions and competitions for jobs in the administration that you register, and the results, seeing that elsewhere only puts the DNI?

  5. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Yes, I've got no personal data of students ... must have whichever role, such as a data management contract a third party (that would be you need someone external will manage payroll), but have student data and therefore the same obligations as any organization, even independently.

  6. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Ummmm this is difficult to answer. I think they should not. The data you mention are entry level but the fact that it is for a public competition and therefore're applying for a job (which can affect you in your current position) I'd say that makes data midlevel ... so no, I think they should only indicate the maximum DNI ... but that said, I'm no expert this type of law, better ask someone specialist in data management.
    Elisabeth kisses.

  7. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Sorry Angel, se me pasó tu comentario. Si no recopilas datos no tienes ninguna obligación respecto a la Agencia de Protección de Datos. Con un formulario de contacto, mientras no los suscribas a nada, la única obligación es a mantener a salvo esos datos y que ni te los vendas ni dejes que te los roben. No importa si eres autónomo, empresa o persona sin más. Sobre las cookies, sí es obligatorio notificarlas. Siempre. Es muy pesado y es tonto porqué todas las webs las utilizan (menos la web de la Agencia de Protección de Datos)… pero así son las cosas.

  8. LOPD consulting
    LOPD consulting says:

    Very important that the data collected are only required for the purposes specified that come well before the person's trust. Thank you for all these tips. The truth is that we must be constantly aware

  9. Anna
    Anna says:

    Good morning, I'm a doctor and start working on their own and need some form to provide my patients when they come to visit but the link you've been telling me that there is no health form. om should I do ????
    Thank you

  10. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Hi Anna, any form you may wish to ask until health information to the people who fill. If an appointment or directly to a motor automatic citations to only ask for basic things such as name, surname, email and phone (as much). If you ask something related to health, then spend a high level of security and we need a lot of things (such audits every two years, special controls for servers, physical access control where there are machines with a lío data ... go ... better not ask for it).

  11. Peñarroya Montserrat
    Peñarroya Montserrat says:

    Hello Javier, if you collected without consent can not use them for a subscription, but you could use them to send a mailing and asking if they want to subscribe. If they do not answer or say no, then you can not do anything with them. If they answer yes or make the call to action that they have proposed, then you have recovered.
    I hope this answer will be useful
    A hug

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

New book on sale now

Make your business grow online

This website uses its own and third-party cookies to obtain statistics and store data. Its objective is to be able to offer you a better service. You can consult more information about the cookies on this site by clicking here.