Since last May 25th, when the General Data Protection Regulation (GDPR) entered into force, the time has come for us to adapt our companies to the new requirements regarding the processing of personal data. As the sanctions established for its non-compliance are so important (up to 4% of the companies’ turnover), not meeting the new legal requirements does not seem an option.
The global political decision to protect our privacy, given the threat of the high computational capacity reached, Big Data and artificial intelligence are a fact and the European Union has adopted an extremely active role in this regard.
Nowadays all of us, companies, societies, associations or foundations, store and use personal data to develop our activity. Among others, we use customer data, employee data, contact data, security camera recordings, access controls to facilities, health data, data on websites traffic (cookies, IP, identifiers ...). So far, each EU country regulated its own way of storing and using such personal data, but the different European Agencies did not get these rules applied correctly, since there was no real awareness of the importance of personal data.
It is in this scenario that the GDPR breaks down drastically modifying the way in which the protection of personal data is conceived, moving from a model of protecting measures for data to a model that analyses the risk of each processed data, what obliges all subjects to carry out a research and review of the risk of the processed data by each entity in order to determine which are the mandatory protection measures that should be implemented.
The analysis of the risks associated with the data processing is carried out through an audit in which the processed data, the purposes of such processing, and the way the same are stored (both at physically and cybersecurity levels) are determined, in order to determine which are the necessary measures to eliminate or reduce the associated risks.
And as a guarantor of the system, with the aim of there being an awareness and compliance with the regulation on this matter, the GDPR counts with an important system of sanctions for those who do not comply.