GDPR: From Compliance to Implementation
It’s true that the GDPR involves stricter requirements for compliance, but it's no less valid that these requirements increase for corporations and entities that need to comply (due to the type of data they handle, the volume, following or monitoring, and so on). However, for some companies, there will be a simpler structure that will facilitate their ability to comply with the legislation than before.
The still-in-vigor Personal Data Protection Act (LOPD 15/99) established some degrees of protection in function with the type of data that a company handled. For example, those corporations that dealt with health records found themselves obliged to implement a level of data safety measures deemed HIGH LEVEL (very demanding).
In practice, this could mean that a doctor that had a private practice in a home office that treated two, three, or five patients a day and did not perform any tests, still had to implement the same data protection measures as a hospital or clinic. There’s no comparison between the structure of one medical practice and another, although the implementation standards that the legislation required were in the same section and therefore needed to get implemented uniformly across all classes of medical practices.
This point changes with the new regulation:
The GDPR tells us that we must guarantee the rights of those who give us their data and that data’s integrity and security, although it does not denote concrete or specific safety measures for companies to carry out.
What does this mean? The GDPR will let us adjust the type of measures to apply based on an individual corporation's characteristics, the kind of data they deal with, the variety of technical resources they have available to meet compliance, and so on.
Having said that: We should always be establishing processes or protocols that allow us to implement these measures, but also to prove and demonstrate that they're being carried out.
In practice, we find ourselves faced with "a continuous process of reviewing compliance." This process means that, in the face of any incident, inspection, or complaint, we can demonstrate we have been implementing the adequate measures concerning the data at hand, both on an organizational and technical level as well as exercising rights.
Concerning specific requirements, what the GDPR tells us about data security is the following:
According to Article 32 of the EU GDPR “Security of processing”: “…[T]he controller and the processor shall implement appropriate technical and organizational requirements to ensure a level of security appropriate to the risk, including inter alia as appropriate:”
· (a) the pseudonymisation and encryption of data;
· (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
· (c) the ability to restore the ability and access to personal data in a timely manner in the event of a physical or technical incident;
· (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
As we can see, we have to behave like “Caesar’s wife,” in a way where we not only adequately comply with the legislation but that we are also able to show it.
In practice, we can find ourselves with corporations that already have security measures on top of their processes for handling personal information. These measures can be valid, coherent, and consistent with the GDPR so that the only possibility would be to review its efficacy and provide us with a process of verification, evaluation, and periodic assessment that lets us check that they are complying with the regulations.
For example, many corporations already have a data processing system that disconnects a customer's data and substitutes it for a method of customer codes in a way that it only works with the substitute code, and not with the personal data that they come from, with only those values remaining.
Nonetheless, those enterprises that have not previously had security measures in place will have to complete a series of additional tasks that will let them reach the same point of compliance.
Álvaro Orts Ferrer
He is an attorney admitted to the illustrious Valencia Bar Association (ICAV) and Legal Consultant for GDPR/LOPD/LSSI. He is also the founder of Orts Consultores, a legal consulting firm offering personalized legal services in many areas, both to individuals and companies.