Some people think there is a memorial day for anything and in reality the list is bulging. But we are approaching January 28th and we thought it was important to tell you that this Sunday is European Data Protection Day. The subject is relevant: it affects us all more and more every day and the legislator is aware of this, in view of the regulations that exist in this regard and the penalties imposed for non-compliance. And the objective of the day is also clear: to raise awareness and disseminate information.
The first question we can ask ourselves is, why has this date been chosen? The Council of Europe, supported by the European Commission and the Data Protection Authorities of the Member States, opted on January 28th for its The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, approved by the Council of Europe itself on this very day, but in 1981. Since then, this treaty has been ratified by 55 countries, i.e., it goes beyond the Community level, and has been updated to keep pace with the times and, above all, with technological developments.
This agreement was innovative (remember that the Internet was little more than an experiment at the time) and very significant. But even more so the General Data Protection Regulation (GDPR), which came into force in 2016 and has been applied effectively since May 25, 2018, after a two-year gap for entities to adapt to the new requirements. The approach to GDPR can be approached from different perspectives,but one of the most striking things is the fines for non-compliance that it has provoked, very high in number and amount.
In a very summarized way, The GDPR was introduced to, among other things, harmonize European data processing regulations and enhance the protection of citizens. Perhaps the three most important points of the text are the creation of the figure of the Data Protection Delegate.or also called DPO (Data Protection OfficerThe company’s compliance officer, who is the person in charge of ensuring compliance with the regulation in companies, its reinforcement of the right to be forgotten and the obligation of express written consent of each person to process your personal data for specific activities or purposes.
Legitimate interest vs. express consent
The GDPR indicates in Article 6 several assumptions for the collection and processing of data to be lawful. These legitimizing bases are: consent of the data subject, public interest, contractual necessity, protection of vital interests of the data subject, compliance with a legal obligation and legitimate interests. To be valid, the latter assumption weighs the legitimate interest of the controller against the interests and fundamental rights of the individual. And the latter cannot prevail over the former. What happens is that this analysis is not always done in the right way, hence the intense sanctioning activity based on this particular article. In any case, legitimate interest is not a “generalized” license and must be applied responsibly.
As we can see, the practice of resorting to legitimate interest has its risks, so it is preferable to obtain express consent to avoid them.
Technology for consent management (and risk avoidance)
But to ensure legal compliance and avoid penalties and reputational damage, you can also choose to collect the consent of the individual for each situation taking into account the purpose of the data processing. And technology is an important ally here.
At MailComms Group, for example, we offer a solution for obtaining and managing consent from our partner ECIX, which ensures compliance in the management of consent throughout its life cycle.
It also does so through any channel and with collection and custody of evidence for at least five years in a secure environment (including tracing, certification of shipment, acceptance of consent and other aspects). Everything is also recorded in a time-stamped certificate with our electronic signature as a qualified trusted electronic service provider.
Free Webinar with ECIX on GDPR
If you want to know more about how MailComms Group can help you to comply with the RGPD and avoid fines from the Spanish Data Protection Agency, we propose two things. The first is that you visit our section on GDPR consent management. The second and most effective is that you join us in the free webinar that we will hold on January 30 (at 10 am) in collaboration with our trusted partner, ECIX. We told you all about this seminar a few days ago in this blog post, where you will also see how to register for free.
During the meeting We will explain how to effectively manage risks related to the GDPR, we will look at the most common reasons for penalties given by the Spanish Data Protection Agency, discuss how each company can perform a self-analysis of its risks and present the benefits of using technology to ensure legal compliance. We hope to count on you!