In 2018, the European Data Protection Regulation which implied significant changes for SMEs. The modifications were increased in 2021 after the publication of the Organic Law 7/2021, of May 26, which meant the duty of all companies to update their content. Now SMEs are wondering if there will be changes again, and what are the changes in terms of Data Protection for 2022
What is GDPR?
are the acronyms corresponding to General Data Protection Regulationthe new regulation regarding data protection that came into force on May 25, 2016, after being approved by the European Union.
The objective behind this new regulation is to regulate, care for and protect the use made of personal data by users, companies and institutions so that their owners have more control over them. In this way, anyone who collects and stores personal data will have to meet a series of very specific new requirements.
Most important changes in the GDPR
In 2018, compliance with this new regulation becomes strictly mandatory and replaces the current legislation on data protection. Since then, the new GDPR is common to the entire European Union so, if you or your business is located in this territory or you manage data of European citizens, you must adapt to the new law, without exceptions, and accept all the changes it proposes.
Sanctions get tougher
The Spanish Agency for Data Protection, from the entry into force of the Law, obtained the power to impose sanctions of up to 4% of annual turnover. In addition, it acquires responsibilities of a civil, criminal and labor nature, in the event of serious events, whose responsibility is transferred to the administrators.
The Principle of Active Responsibility (Accountability) is applied
Companies must adapt their procedures, documentation and facilities to the LOPD standard. In the event of any claim or complaint, they must demonstrate that they have adopted all the necessary measures to avoid incidents, and for this they must be able to prove that they have carried out the appropriate steps.
Data protection is established by design and by default
User privacy is essential. Companies must determine from the outset what security measures they have to implement, depending on the data processing to be carried out.
The requirement of consent is reinforced
They must be made through an informative declaration or action. It is no longer useful to deduce silence or inaction as consent.
How the new RGPD affects you if you are on the Internet
Any form that appears on your website, whatever its type, in which you collect personal information from your users, will have to be adapted in such a way that it complies with the new General Data Protection Regulation.
In the case of non-commercial web pages or blogs, which do not generate income, the most common ways of collecting personal data and that you must adapt are:
- contact forms
- Post comment boxes
- Newsletter subscription forms
In the case of commercial web pages or those that generate direct or indirect income, things get a little more complicated since it will be necessary to comply with the . In addition, in these cases, we can find more complex forms or payment mechanisms to acquire or contract products or services that require additional contracting conditions and a legal notice.
In any case, remember that whenever you collect personal information on your website/blog, whether you generate income or not, you must comply with the GDPR.
Adapt your website or blog to the RGPD
For your website or blog to comply with this new regulation, you must:
- Clearly and explicitly provide all information regarding the collection and use of personal data to be collected.
- Enable a mandatory checkbox for users to give their explicit consent for this treatment and their acceptance of the new privacy policies.
- Collect and store that explicit consent.
But, in addition, the information you provide must be presented in 2 layers as follows:
First layer: summary of Privacy, Legal Notice and Cookies
In this first layer we must include a summary of the information about who is going to be responsible for the data collected and for what purpose it is going to be used. In the event that these data are transferred to third parties, it will be necessary to indicate it and, in the event of having a DPO in charge of managing them, their information and contact must also appear.
In addition, we will have to inform the user about the rights they have to access, modify or delete the data they have provided and add a link to a second layer containing all the complete and detailed information about Privacy Policy, Cookies Law and Legal Notice which must be hosted on our website.
This first information layer must appear in all the forms with which you collect personal data from users.
Second layer: detailed legal documentation
When we talk about information in the second layer, we basically mean that it must be presented in a separate URL and in detail. The second layer must be hosted on your website, in a separate URL, or in different tabs or in a single one with each of the sections well explained and detailed, and must therefore contain the complete information related to the Policy of Privacy, the Cookies Policy and the Legal Notice.
Privacy Policy
It must detail how the owner uses the information collected, the purpose, the retention period of these data, the transfer to third parties (if any), etc.
Notice and Cookies Policy
In the section corresponding to cookies you must include all the detailed information regarding the use of your own or third-party cookies and their purpose. However, this information must be detailed from the moment the user accesses the website through a warning of the existence of these cookies (image) and a button for the user to give their consent with a link to this detailed information.
Legal warning
It must contain the minimum information necessary for the user to know who is behind the web page. That is, who is the owner of the website and a contact telephone number and/or email address. The Legal Notice will only be necessary if there is a commercial activity on your website. That is, on those web pages that facilitate, advertise or offer a certain product or service. Only blogs or websites that do not carry out any type of commercial activity will be excluded from this obligation.
How to get explicit consent from your users
In addition to the previous modifications and adaptations, in order to comply with the new GDPR we will have to obtain explicit consent for the use of the data on our part as well as acceptance of the new privacy policies.
To do this, apart from including a tag with the information regarding the use of the data, we will have to include a mandatory check box through which users can give their explicit consent to the processing of their data for the purposes that we have exposed.
We will have to include this checkbox in all the forms and it is especially important in the newsletter subscription forms. In this case, we will have to store the corresponding consents to somehow demonstrate that we have the permission to always use the data for the purposes that we have exposed.
And if I already had my user data before, what can I do?
In addition to the previous steps, mainly focused on adapting each and every one of the web forms with which you are going to collect data, you will also have to take measures if you want to continue using those data you would have collected before GDPR.
If you use mailing lists for email marketing campaigns or sending newsletters, for example, you will have to send a new campaign to all your subscribers. In it you must explain how these changes affect them in terms of their privacy and give them the option to renew their subscription to your mailing list by fully expressly accepting the use that you are going to give their data.
Only if you get a new clear and explicit consent from your old subscribers will you be able to continue using their data. Therefore, you will have to send an email campaign to these subscribers to renew their subscription and thus obtain their new consent, now yes, explicit.
Sanctions if you do not comply with the regulations
In 2021, Spain broke a record in terms of sanctions by the Spanish Agency for Data Protection (AEPD), which proposed 47% more sanctions than in 2020. Internet services and delinquent files These are the services against which the most sanctions have been imposed.
The sanctions imposed on companies for not complying with the obligations entailed by the Data Protection Law can be of 3 types: minor, serious or very serious.
- The minor offenses They range between 900 and 40,000 euros. An example of a minor infringement would be not registering in the data file in the General Data Protection Registry or providing the AEPD with incomplete information.
- The serious offenses carry fines of between 40,001 and 300,000 euros. An example would be that the SME will process personal data without the express consent of the user or use a certificate that has expired.
- On the other hand, very serious offenses will involve fines of between 300,001 and 600,000 euros. An example for the SME to face a penalty of this amount would be to collect data fraudulently or ignore cancellation requests.
As you can see, all businesses, to a greater or lesser extent, have to adapt to the Data Protection Act. That’s why from We recommend contacting a professional who advises you on how to implement improvements in the documentation and processes to comply with them and avoid incidents. Contact us if you want more information.
Despite all the negative that this may seem, the reading that we must give it is quite another, since, is not this a good opportunity to clean our contact lists and stay with those who are really related to our product/service? Whoever decides to give you their consent again, this time explicit, will do so because they are really interested and this will increase our chances of success.
Remember that this information is important if you have an internet presence and also follow a strategy or online advertising campaigns.
Facebook Comments
Disqus