Although the GDPR has been in force for almost a year, there are still many companies that do not comply with the provisions of the European Union, according to a study by the Spanish Agency for Data Protection. Next, we analyze what is being done wrong in Spain and what to do to solve it.
It has already been almost a year since the General Data Protection Regulation (GDPR) came into force throughout the European Union. The main objective of this new legislation was to offer the user greater protection of their personal data, increase their privacy and give them more tools to defend themselves.
In the previous months, we analyzed at length the most important changes of the GDPR, such as informed consent or how these developments would affect the health sector and laboratories. A month later, we reviewed the situation in which the companies were once the regulation became mandatory.
On this occasion, almost one year after its entry into force, we will know in what state is the data protection in companies in Spain and we take a brief look at the rest of Europe.
First sanctions in Europe
Compliance with the GDPR can easily be seen in the number of fines that the relevant authorities of each country have issued, such as the fine of € 4,800 imposed on a bookmaker by the Austrian Data Protection Authority (DBS).
The reason for this sanction is that the business had a security camera on the outside of the premises that pointed to a large part of the sidewalk and lacked the necessary signage warning that there was a video surveillance system there. Although to some it seemed a minor fine, the DSB has justified it based on the principle of proportionality.
To avoid this type of incidents, the Spanish Data Protection Agency has on its website a guide on the use of this type of security cameras and their adaptation to the set of obligations contemplated by the GDPR.
The National Commission for Data Protection in Portugal has also had to act in this first year of implementation of the GDPR, in this case with a much higher economic penalty. The affected was a hospital in Portugal, which must face a fine of € 400,000 for the violation of the principle of integrity and confidentiality and the principle of minimization of data and malpractice of the person responsible for processing the data.
The hospital kept access to more than 900 professionals open when there were fewer than 300 doctors on staff, so the Commission assessed that the necessary control and authentication measures had not been implemented, nor a system of different levels of access. In addition, it is important to highlight that medical data are considered by the GDPR as special category, so they need greater protection.
The last notable fine within the European Union took place in Germany. The country’s authority imposed a fine of € 20,000 on the Knuddels social network after more than 800,000 email accounts and more than one million users and passwords were leaked due to a hack. All this sensitive information did not have any kind of protection.
Has there been any fine in Spain? So far there have been no economic sanctions, but there has been a warning of compliance to a company that owns two Xiaomi stores in Madrid. They had cell phones that sent daily e-mails containing information such as the cashier and billing of the store and personal data of employees and even some buyers.
Thanks to the willingness to amend the error and to have established sufficient measures to increase protection, the AEPD decided not to sanction them with a fine, which, in these cases, could reach € 10 million or 2% of the annual turnover.
Current status of the GDPR in Spain
With regard to consent, the majority of those analyzed continue to use a single box to give consent in block, despite the fact that the text lists different purposes for personal data. In these cases, a box should appear for each of the different purposes. The user must be able to choose what they want to be done with their data.
The legal texts also sin to use too ambiguous language and unspecific expressions, which do not provide real information for the client. The same thing happens with the time of conservation of the data, which is not expressed with exactitude, or in some companies this detailed deadline stipulated by law is not even detailed.
Finally, one of the most common mistakes (three out of four companies) is not to include the legal basis that legitimates the processing of such personal data. The GDPR offers six possible legal bases for this purpose.
In addition to this report by the competent organization, the company Fellowes conducted a study in which it concluded that 14% of Spanish workers do not comply with the GDPR (a figure slightly lower than the European average that is 18 %). In addition, 13% have not received any kind of informative note about changes related to data protection.
The importance of the clauses of the obligatory reading
After verifying that there is still a way to go to comply with the GDPR, it is important to highlight the importance of companies using solutions that comply with the current legislation in terms of data protection. As we have seen previously, breaking this regulation implies economic sanctions, which, in some cases, can be very large.
Digital signature solutions, such as the Viafirma case, offer many advantages to comply with legality such as the mandatory reading clause. Most people do not read all the contracts or the privacy policies that concern them, and with Viafirma’s solution, the complete reading of the clauses is assured and their compression is helped.
In short, we must continue with the effort to adapt to the latest changes in the legislation, which, after all, only seek to give a greater degree of protection to the end user. In this process, it is important to rely on technological solutions that reduce work and make things easier.