the celebration of The Day of the Protection of Data reminds us every January 28, in full digital era, the importance of that, companies must commit to manage the personal information of their customers with sincerity. Especially now that it has entered into force a new european Regulation.

Day of the Internet Safe, Backup Day, the Day of the Security of the Information Security Day on the Job… there are several celebrations throughout the year, exploring the different faces of the safety and attempt to capture the attention of people and companies. These events fulfill its role of reminding us that we must not take any question for granted, and that the most cost-effective measures that help to mitigate risks, so much the better. Another one of those “Day of…” is the Day of the Protection of Data, that falls on January 28, and puts the accent on the need of awareness and responsibility on the management of personal information. A information that, due to the popularization of the online services, and also with the rise of cybercrime, it becomes more present and more valuable than ever.

This year the commemoration of the Day of the Data Protection is particularly relevant, because there is a new Regulation at european level “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, the Regulation (EU) 2016/679. The entry into force of this Regulation, which took place on the 25th of may, 2016” and that “will be applicable as of may 25, 2018, has been a major milestone in the world of data protection”, highlights Rafael Garcia Gozalo, head of the International area of the Spanish Agency of Protection of Data (AEPD), in a statement to, “in that it establishes new rules of the game for those who try personal data. And this, of course, need to continue the work of awareness-raising among companies, one of the priority axes of action of the AEPD in this year 2017”. A year in which we must learn well the lesson of the protection of data and begin to apply it accordingly.

“In Spain, the AEPD is doing a great job of protecting the data of the Spanish users”, values Paul Corrales, a lawyer of the firm Abanlex specialized in these matters, to whom we also asked about the status of such protection in Spain. Is it necessary to continue raising the awareness of enterprises of our country about the issue of the protection of data or a lot of work remains to be done in the midst of the era of Big Data, the cloud computing and the scan? Despite the good work of the competent bodies, “still misses an entrepreneurial culture more inclined to consider the data of the users an important asset and should be protected in the most effective manner possible,” says Corrales. It distinguishes between two realities. While those “companies that base their activity on the data processing itself, particularly its measures to protect the data of their users, the rest of the companies seem to consider the obligations relating to data protection as an obstacle generated by the Administration”.

“In my opinion”, adds the lawyer, “companies should address the protection of data of its customers as a sign of quality that we can offer to your customers, suppliers and other actors with which they relate.In this sense, from the Spanish Agency for Data Protection indicate that «adaptation to the European Regulation will undoubtedly be one of the great challenges not only for SMEs», which are legion in Spain, «but for the Agency» that right now «it is working to offer solutions that facilitate compliance with the obligations imposed by the Regulation to those responsible for the processing of personal data». This after that between 2015 and 2016 he has executed “the 76 actions he had planned”, wielding a “Strategic Plan 2015-2019” that takes into account accoun la pr < strong> inclusion and awareness as essential aspects to spread and establish a culture of data protection ”.

List of most frequent errors

Although they shouldn’t do it, companies still make protection failures. «The main mistakes of companies are to underestimate the importance that data has for their customers and the usefulness of such data for their own business activity ,» says Pablo Corrales, who recalls that «citizens every time They are more aware of the importance of the security and privacy of their personal data. Since Edward Snowden revealed the massive espionage practices of the United States government through many American companies, citizens have developed a great sensitivity about the treatment of their personal data, ”Corrales insists,“ to the point that This treatment has become one of the points to consider when choosing the services of one company or another. ”

 Source-Shutterstock_Autor-Marafona_seguridad-breach-data  Mistakes penalize, and it is logical that people are not willing to make deals with organizations that do not value the data of their users or customers properly. That they are not transparent about the treatment they are given, about their storage and their possible sharing with governments. And they do not put into operation the necessary and existing measures to keep them safe from unauthorized third parties. In the end, the issue of protection allows weaving a relationship of trust between all parties. «On the other hand,» added from the law firm Abanlex, «the correct treatment of personal data, can bring great benefits to companies by helping them better understand the needs of their customers and with it, be much more effective in offering their services. ”

List of key obligations

The obligations in data protection by companies are included both in the new Regulation published by the European Union and by «the LOPD» or Organic Law 15/1999 on Protection of Personal Data «and the regulations that develops it ”, as pointed out by the Abanlex member consulted by . There are some that are worth emphasizing. Pablo Corrales summarizes the main ones in four areas that range from the management of data by organizations to their general strategy. « Some of the most important obligations» , he says, «are those related to the identification and control of the personnel accessing the data, the maintenance of a record of incidents that affect the data, the creation and update of copies of backup and the writing of a security document ”.

Based on the fact that the new Regulation “will change the way in which organizations deal with data protection”, the AEPD through its head of the International area warns that “it will be necessary for all organizations that process data personnel carry out a risk analysis of their treatments to know what measures they have to apply and how they have to do it. They must also review the way in which they obtain and register the consent, since cases of tacit consent that are accepted today will cease to be when the Regulation is applied ”. A change coupled with the new scenario «is that consent must be given through a statement in this regard or through a clear affirmative action,» says Rafael García Gozalo. “It is important to know that consent will not be understood as granted when it is based on the inaction of the person. That tacit or omission or lack of action consent is not valid under the Regulation. For the rest, it is required, as has been done so far, that unequivocal consent be free, specific and informed. ”

List of possible consequences

And who does not comply with the provisions, will have to face the consequences. Both loss of reputation and customers, as monetary. García Gozalo points out that the new Regulation “establishes that data security breaches must be notified to the control authorities without undue delay, no later than 72 hours after it has been recorded. » That is, «unless it is unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons,» qualifies this expert. «From the breach of the obligations», he continues, «could result in the imposition of an administrative penalty.» How much money are we talking about? «Important administrative fines that can reach up to 20 million euros are contemplated. or 4% of the total annual global turnover of the previous year,» reports Pablo Corrales, «opting for the largest amount.» .

Corrales delves into the change that assumes that «companies that suffer breaches in the security of personal data» become «obliged to inform all those individuals who may have been affected». In the «case of not knowing which has been affected, will have to publish in a media the existence of such a security breach,» deepens this lawyer. «This, however, can be avoided if previously measures have been taken that do not allow the data to be readable by third parties, such as encryption.» What is the best way to abandon bad practices regarding data protection? The sanctions provided by law? The formation? Information campaigns? The signing of specialized teams? “The best way,” says Corrales, is that the company “has professionals in charge of the correct implementation of the necessary measures to maintain” its “security at all times, that has a specialized team both in the legal and technological fields so that the transposition of the legal provisions to the reality of the company is effective and complete ”.

“One of the hallmarks of the new Regulations,” according to Rafael García Gozalo, “is also one of the tools that can be more useful to the companies to the hour to adapt to the scheme that deploys the new european standard of data protection”. And what is it, specifically? is “The principle of active responsibility or preventive”, resolves to Garcia. “This principle is based on a series of measures with the adoption of the responsible would be in a position to ensure and demonstrate that the processing of data is carried out in accordance with the Regulations”. From the regulatory body in Spain bet everything on a case-by fostering “a culture of protection of data between organizations”, especially in “smes, which make up 99 % of the Spanish business fabric”.

List of goals for 2017

Source-Shutterstock_Autor-igor.stevanovic_seguridad“For smes and micro the main added value of the Regulation is that determines that all organization will need to make an assessment of the risks posed by the processing of data carried out. For small and medium sized businesses this is a great step forward, because it implies taking a greater awareness of what data are handled and how it is done,” stresses Rafael García Gozalo, that in the act itself see “several” tools » that are made “available to the data controllers to adapt to the norm and get an advantage competitive of that compliance.” In general terms, “to all the organizations I think that the best advice one can give is that you apply without preconceived prejudices of the measures that the Regulation provides for. In reality it is a few measures that can be considered essential if you are trying to properly personal data,” says the representative of the AEPD.

“The organizations that carry out treatments of data should be clear and minimally documented some essential aspects of those treatments. And those that carry out complex treatments with a high potential impact should be to make an assessment of that impact and to take the necessary measures,” continues Garcia. “The same could be said of other measures, such as safety or the designation of a data protection officer or the implementation of data protection from the design, presents the Regulations”.For his part, Pablo Corrales recommends above all «that the company has both legal professionals and computer experts . The first will be necessary to identify the obligations that the regulations on data protection collects and the second to implement those obligations effectively in the company’s systems ”.

«I would also emphasize,» says Corrales, «on the importance of the training of employees of the company for the security of personal data. Training is the best way for security measures designed by professionals responsible for data protection to be effectively implemented in all areas, ”he says. «Lastly, regardless of whether the regulations require it, I believe that keeping customer data encrypted is one of the best measures that a company can implement to keep the data for which it is responsible secure. » And in this process they should accompany the authorities. «From the AEPD we are willing to offer organizations» those «resources that allow them to better understand the scope of these obligations and apply them in the simplest way possible,» says the head of the International area. “But it cannot be overlooked that the Regulation requires that entities that process personal data assume a position of proactive responsibility. The supervisory authorities are willing to support the exercise of that responsibility. ”