Adaptation to the GDPR (General Data Protection Regulations)
Our intention with this article is to help the self-employed understand what they must do to be in line with the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016). But before that, we are going to give you some advice that we consider to be of interest.
1. Companies that sell you the implementation of the GDPR at zero cost
The Spanish Data Protection Agency itself warns of these fraudulent practices on its website. Contracting this type of company can lead to the following problems:
1. Zero cost means financing these services with funds designated to subsidised training, a procedure that may lead to a penalty for infringement by the Labour Inspection.
2. As these companies are exempt from VAT because of their training activity; they do not apply the correct VAT to compliance services, which are taxed at 21%, which may lead to penalties for tax infringements.
3. Compliance with the GDPR is not a standardised procedure. That means that the same dossier cannot apply to all clients. It is necessary to review, design and apply data protection principles to the specific circumstances of each company.
4. As this is a little known and a relatively new subject, some companies take advantage of this lack of knowledge to “sell” you services that you do not need according to the regulations, such as, for example, the need to have a DPO (Data Protection Officer).
The figure of the DPO is one of the critical elements of the GDPR and a guarantor of compliance with data protection regulations in organisations. Still, according to article 34 of the Organic Law 3/2018 on the Protection of Personal Data the following entities (among others) must designate a DPO: professional associations, educational centres, insurance companies, entities that operate networks and provide electronic communications services, distributors and retailers of electrical energy and natural gas, health centres, private security companies.
If you are not on the list of entities in art. 34 you do not have to designate a DPO.
And now, we have reached the point that interests you!
2. What do you have to do to adapt your business and processes to the GDPR?
The Spanish Data Protection Agency (AEPD), trying to help you with the GDPR, has created a tool called FACILITA RGPD, which in our opinion is easy and intuitive. However, you have to be patient to carry out the whole process.
This tool helps companies and self-employed people who handle low-risk personal data, such as the customers’ personal information, suppliers or human resources.
The AEPD clearly warns that this tool must not be used to process data that implies a high-risk for people’s rights and freedoms, such as health data or mass data processing, among others.
3. Advantages of FACILITA RGPD
The advantage of using this tool is that if you answer truthfully to the questions it asks you, it serves to assess your situation regarding the treatment of personal data.
That way, you will know if you can adapt the policy using this tool or need to make a risk analysis. In the latter case, we advise you to place the GDPR in the hands of professionals in the field of data protection and implement it with all the guarantees.
4. Documents generated by FACILITA RGPD
After answering all the questions asked by the tool and filling in a form with your information (data that the AEPD will delete after using the tool), the tool generates various documents in editable word format, adapted to your company. These documents are as follows:
– Information clauses that you must include in your personal data collection forms.
– Contractual clauses to be attached to the data treatment contracts.
– The registry of data processing activities.
– An annexe with minimum indicative security measures.
5. Complete these steps using the tool
To give you an idea of the process that you will have to complete when you run the FACILITA RGPD tool, here is a summary:
1. With three questions, it will determine whether you are among the entities that process low-risk personal information or not. And, to do so, it will require you to answer if you belong to any of the sectors listed: health, insurance, video surveillance, etc. If you process specific data related to: data containing ethnic or racial origin, genetic data, health data, etc. And finally, if you carry out any of the related processes: creating or analysing profiles, advertising and marketing, clinical or health record management.
2. If you answer these three questions negatively, the tool considers that your organisation involves a low level of risk to the rights and freedoms of the data subjects. Therefore you would be able to use the following programme to generate the documents.
3. You must fill in a form with your details, which the tool will use to generate the documents adapted to your company.
4. From this point onwards, it will ask you a series of questions about the personal details you process in the course of your activity: information on clients, potential clients, employees, candidates and suppliers (always referring to individuals).
5. If you capture images using video surveillance cameras for security purposes, you will also have to indicate that.
6. Finally, you will also have to indicate the details of the companies you have contracted and which provide you with the following services: website maintenance, software development, hosting, email provider, cleaning services, video surveillance service.
6. Actions you have to carry out according to the AEPD
When you finish the programme, it will generate the documents that we have previously described. Then the AEPD will indicate the following actions to be carried out:
1. Include the information clauses in the information request forms, either if you use paper forms or through your web page.
2. Implement the technical and organisational actions indicated in the corresponding document.
3. Review the contracts you currently have and include the contractual clauses and sign them on the last page.
4. Draw up those contracts that you do not yet have and also include the contractual clauses and sign them on the last page.
5. Keep all documents safe and updated.
6. Don’t forget that you must not send anything to the Spanish Data Protection Agency, you must only give it to them if they ask for it.