Get the latest news right in your inbox
The General Data Protection Regulation (GDPR) marked a turning point in all areas of the economy and society as a whole. The way in which data is collected, processed, and stored by companies and individuals is now under scrutiny by regulators.
This regulation affects companies, freelancers, or independent professionals who carry out economic activities on a regular basis. This means that no one can ignore the requirements and standards set by this new regulation. Following this, trusted e-service providers have come into play, offering affordable and scalable RegTech solutions for automated compliance with GDPR mandates.
What is the General Data Protection Regulation (GDPR)?
The GDPR - General Data Protection Regulation - is the law approved by the European Parliament and the Council of the Union which regulates any aspect related to the processing of personal data of individuals.
This standard focuses on the protection of data provided by individuals to other organizations, companies, institutions, or professionals and how they are used or distributed. Its requirements generally apply when a subject is in possession of data of citizens or residents of the European Union, in addition to requesting controls to European companies with respect to the treatment they make of data of non-residents if they have delivered them in European territory and under a framework of the provision of services or purchase and sale of products (any commercial or non-payment marketing activity included).
The General Data Protection Regulation came into force on May 24, 2016, although it was not until the 25th of the same month in 2018 that the sanctions and fines for not complying with it comprehensively began. In that two-year period, companies transformed their processes and operations in such a way that they complied with the requirements agreed in the regulation. However - and unfortunately -, even today we cannot say that all organizations and companies are adequately complying with the GDPR.
The GDPR replaced its predecessor, the Data Protection Directive (adopted in 1995). With the rise of online transactions and widespread concern about how some companies were using their customers' personal data, both this past directive and the variety of data protection rules in the various EU member states needed to be updated.
Moreover, the new regulation not only replaces all existing legislation on the protection of personal data, but also expands and extends the rights of citizens and users over their data and the information they have provided. Moreover, it is even capable of giving users the ability to manage the use of personal data by companies ex post facto, almost immediately.
About the Organic Law on Data Protection - LOPD
Although LOPD - Organic Law on Data Protection - web searches are still common, the truth is that this 1999 regulation is no longer in force. If we want to delve deeper into how Spanish legislation was adapted to transfer the GDPR to its legal framework, we must look at the LOPDGDD (Organic Law on Personal Data Protection and Guarantee of Digital Rights).
Just like the rest of the European countries, Spain replaced its own regulations on data protection so that its legal framework would be at least as demanding as the European General Data Protection Regulation. On December 6, 2018, the LOPD-GDD came into force.
Thus, with the national transposition of the GDPR by the states, the European regulation was extended to all EU markets and had an impact on all facets of the economy and society. Data protection agencies even began to provide tools for companies that process personal data so that they could analyze the impact of the new regulatory framework according to their characteristics and the nature of their activities.
It is important to understand that any business, organization, or professional that performs economic activities is susceptible to complying with the requirements of the GDPR since it affects virtually any activity. Personal contact or billing data, even some as simple as email, first and last name, or telephone number, must be treated with the utmost diligence.
However, governments remind that these self-assessment tools are only indicative and do not absolutely guarantee that the processes of the business or company are in full compliance with the requirements of the data protection regulation or equivalent national laws. It is therefore advisable to turn to Trust Services Providers and RegTech specialists to examine the company's processes together with them, proposing simple tools to automate compliance.
eIDAS, a joint strategy together with GDPR
The European countries have set as a global strategy the creation of an ecosystem that can be considered a single digital market. This project aims to create opportunities and synergies between European players as well as to facilitate the establishment and investment of other companies in EU territory.
Regulations such as AML6 (Sixth Anti-Money Laundering Directive) and eIDAS - together with the GDPR - are part of this strategy and contribute to the development of a homogeneous framework in which users and companies can get the best out of each other.
The eIDAS (electronic IDentification, Authentication, and trust Services) Regulation is complemented by the RGPD and the NIS Directive (which guarantees a high level of security for networks and information systems) to create a digital framework for secure transactions. This enables relevant use cases such as the instant opening of bank accounts over the Internet, the contracting of insurance, or the direct debit of utility bills (electricity, water, gas, telephone...).
Software and applications to protect company data
Disputes over companies' treatment of customer data have increased exponentially in recent years. Awareness on the part of users and awareness campaigns broadcast in the media make it increasingly difficult for a company to afford not to comply fully with the mandates of the General Data Protection Regulation.
As a result, businesses have begun to rely on specialized RegTech software designed to make their processes compliant with the requirements of this regulation. In most cases, it is not merely installable software that helps comply with already established processes, but businesses integrate tools that solve use cases where the GDPR comes into play.
Regulatory compliance with the regulation is mainly based on keeping the documentation of clients, employees, and users up to date and in accordance with consent. A record of operations (traceability) must be kept, which must be included in the RATs (Treatment Activity Records).
Therefore, electronic signature and certified communications tools are among the most important and complete software for complying with data protection regulations and at the same time digitizing tasks such as contracting (both commercial and labor) or the acceptance of terms and conditions.
Electronic and digital signature for data protection
One of the key issues in relation to the topic at hand is that of consent. A large part of the problems and disputes with customers is about obtaining their permission for the use of their data in one way or another.
The electronic signature (based on eIDAS and compliant with the GDPR) solves this issue by creating an agile and secure model in which the customer's favor can be obtained through a simple and convenient tool. The customer perceives security by approving their requests or consents through the system of a Trust Services Provider approved by the ministry of the country in question, while companies gain the support they need in the face of possible problems or disputes.
Recording and sealing user activity in compliance with regulations is a legal imperative as well as insurance for business sustainability. The best advanced and certified electronic signature solutions are able to be launched in the company's applications without the need to install complex programs thanks to their web service approach. Compliance with the GDPR is now easier and more affordable than ever, both for large corporations and for SMEs or freelancers.
Relevant use cases where to take into account the GDPR
Data collection and processing is a standard procedure in all company functions. However, there are certain functional areas that have a heavier workload with respect to these types of issues.
Now, with the new data protection standard, we consider many previously non-sensitive data to be protected. IP addresses, location data or even data defining cultural or social identities must be treated with the utmost care.
What companies do with the data and the data itself is much more controllable by users, who have seen their rights over the information they have already decided to give up greatly increased, being able to change their minds at any time and forcing companies to modify these agreements. This has led to companies having to establish procedures for these situations.
Fortunately, as we have seen, companies can now count on simple tools that facilitate these procedures and that already have standardized models of operation required by the GDPR.
In the area of talent management and labor relations, there are many issues to consider in relation to data collection and processing in compliance with the GDPR and the Data Protection Act. It is crucial for HR and personnel teams to have e-signature tools for a wide variety of use cases.
Signing, sending payrolls, signing employment contracts, internships, agreements with trade unions, universities... Compliance with regulations with an electronic signature solution is crucial for this type of case.
Customers and commercial transactions
The General Data Protection Regulation also affects the contracting of third parties that are used to handle data. This makes the companies that collected the data liable if there is misuse by a supplier or third party. This implies great care on the part of marketing, operations, and sales departments and their agencies or professional service providers in the area.
The processes of contracting products and services, as well as the collection of information for their activation, must be carried out with care and under the rules of not only general data regulation but also taking into account sectorial regulations.
In industries such as BFSI (Banking, Finance, and Insurance) where AML regulations come into play along with data protection regulations, the sensitivity of these operations and their level of risk is really high. For this reason, Know Your Customer tools to validate and verify the veracity of the information and data provided by customers are necessary even beyond their subsequent storage and processing in accordance with the law.
In any industry
As we mentioned at the beginning of this article, beyond human resources and commercial relations - areas where the GDPR has a huge impact - the regulation affects absolutely all industries.
In this way, the three types of actors with respect to data must be taken into account: data subjects, controllers, and processors. On this basis, all companies must begin to standardize processes to avoid the penalties and fines involved in not complying strictly with GDPR requirements. Let's remember that the controllers and processors indicated can be anywhere in the world, not necessarily in the EU.
The right to erasure (right to be forgotten), data portability, governance and information on processing must be complied with under all circumstances. Fortunately, having the right tools for this will save costs, make the company's activity more agile and gain the trust of our potential customers and current users, which will result in great growth.