May 25, 2018 will be very important for companies, as it is the day on which the new general data protection regulation comes into force with mandatory character. Companies need to be prepared to receive the new law accordingly; otherwise, they will be victims of the heavy fines that the new regulation contemplates. So, this is the time to answer the question: but what, after all, changes with the arrival of the GDPR?
Citizens with the new law gain the right to request the portability of their personal data, that is, citizens will have the right to request all the personal information that a company keeps about it in a readable format and with the necessary portability to pass from one company to another. In this way, it is easier to change an insurance or television service, because the data will be transferred automatically.
Citizens will be able to require companies to delete their personal data. The right to forgetfulness is in reality an extension of the right that already existed for the citizen to prevent his or her personal data from being treated. With the Regulation they will be able to demand something more: that their data be eliminated.
The DPO, or Data Protection Officer, is not a mandatory position for all companies. This function is required whenever;
(a) the processing is carried out by a public authority or body, other than the courts in the exercise of their judicial function;
(b) the main activities of the controller or the processor are processing operations which, by reason of their nature, scope and/or purpose, require regular and systematic monitoring of large-scale data holders; or (c) the main activities of the controller or the processor are large – scale processing of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and infringements referred to in Article 10.
The DPO can perform part-time or full-time and may be an internal employee of the company or hired externally. He must be a professional with relevant training for the area and he is the person responsible for all matters relating to personal data in the company.
The new GDPR focuses heavily on enforcement and penalties, through the application of high fines for offenders. In cases of minor breaches, it may reach 10 million euros or 2% of the global turnover of the group in which the company operates and in the worst cases may reach 20 million euros or 4% of world turnover.