GDPR and accountability Do you know what it obliges you to do?

In recent times, the media have reported on the intense sanctioning activity of the Spanish Data Protection Agency (AEPD), focused on different industrial and business sectors in our country. In fact, there is practically no economic area that has not been fined in recent times, and this includes, of course, insurance, telecommunications, financial and utilities companies . In other words, critical sectors in the provision of services.

In many cases, the origin of the sanctions lies in formal non-compliance with current data protection regulations, for example, in the lack of legitimacy for data processing. There are other occasions in which the origin lies in errors in data management, which seriously compromise the rights of users from the point of view of privacy. For example, when providing information to third parties without authorization.

Today, in our new content of the series dedicated to the GDPR, we are going to talk about the principle of accountability.

It is true that nowadays, with the development of cybercrime and its technological specialization, it is difficult to prevent a security breach from turning into a leak or theft of customer data. For this reason, the General Data Protection Regulation (GDPR) obliges the data controller to use all possible means to minimize its impact on the organization. So much so that when a breach occurs, it is mandatory to notify the supervisory authorities within a maximum period of 72 hours. This is part of the principle of accountability, also called proactive responsibility.

Accountability is understood as the ability of the responsible party to comply (and demonstrate that it does so) with data protection regulations. Some of the companies recently sanctioned by the AEPD, according to the agency’s own pronouncement, did not respect this principle. For example, one of the fines imposed on a company was due to the failure to update the data of a client, which resulted in its inclusion in a file of non-payments. In other cases of sanctioned companies, the reason was the lack of a database that would allow their data to be processed with guarantees. Or, again, their inability to prove that the client or user of the service gave his consent. In these cases, the result was a breach of Article 7.1 of the GDPR:

1. Where the processing is based on the data subject’s consent, the controller shall be able to demonstrate that the data subject consented to the processing of his or her personal data.

In any of the cases mentioned above, a lack of compliance with the principle of proactive responsibility of the responsible party is detected, thus showing that data management does not comply with the requirements of the regulation.

It is fair to say that data management is not simple because of its volume and complexity. In many cases it will also depend on other factors such as, for example, the necessary investment (economic and human) to manage them in accordance with the law.

However, today there are agile tools that make it possible to centralize and safeguard users’ consents throughout the life cycle of their contractual relationship, including the possibility for the interested party to withdraw their authorization at any time, and with guarantees.

In addition, these tools comply with the principles of privacy by design and default, which incorporate the highest security measures and privacy standards for customer data. They also help to prove, if necessary, that the data controller has obtained it legitimately.

Many of the errors committed in the processing of data are due to a failure to obtain the consent of the data subjects or their inability to adequately safeguard it and be able to demonstrate it accordingly.

In this sense, a qualified trusted service provider, such as MailComms Group, certifies that the communication of consent has occurred correctly and can provide all the traceability of sending and receiving your consent through any channel: email, SMS, WhatsApp, etc. In this way, the data controller will have the opportunity to prove that the consent has been obtained correctly. This way, it will be able to provide it as evidence in the event of a claim by the customer or even in the allegations procedure in the event of a claim by the AEPD (Spanish Data Protection Agency).

MailComms Group also makes it easier for accountability officers to comply with regulations by being a certified provider of ISO 27001 (Information Security Management System) and ISO 27701 (Privacy Information Management System).

This latest standard is an extension of ISO 27001 and 27002, which address specific requirements that will ensure that organizations have comprehensive and universally applicable data governance that is directly aligned with the legislative requirements of their jurisdictions. Hence the importance of selecting both solutions and vendors that ensure 360º security around these ISOs and their prominent concepts: information security and privacy.