The new General Data Protection Regulation was approved almost two years ago, which means that as of May 25, 2018, the adaptation time left by the European Union will end. What changes does the GDPR bring? How does it affect informed consent?
On May 25, 2016, the EU approved the General Data Protection Regulation (GDPR), with the objective of having a single data protection policy throughout the union’s territory. Therefore such regulation replaces any law of the countries member in that matter. In the case of Spain, this law is known as DPOL – on Data Protection Organic Law.
As we already anticipated at that time in our blog, the EU left a period of two years to adapt the regulations at that in force and the processes of the institutions and entities that guard, process or simply deal with personal information. Thus, as of May 25, 2018, this regulation will be mandatory.
This legislation change has been made primarily with the interests of the user, which will have greater protection of their privacy and more rights in relation to the processing of their data. That is why it affects the process of obtaining informed consent since, in many cases, it includes sensitive information.
Two fields in which informed consent takes special importance are the clinical and the laboratories since they work not only with standard personal data, but with what it is known as sensitive information.
Thus the importance of the correct application of the GDPR is even greater in these sectors. In addition, the modification of the definition of consent will also affect the way to acquire it and the processes of each company.
What changes does the General Data Protection Regulation introduce?
In an effort to eliminate bureaucratic obstacles, the registration of data in the corresponding authority, in our case the for Data Protection Spanish Agency (DPSA), will no longer be necessary, but the company has the obligation to keep an internal record.
In order for the user to be more aware of what is happening with the data, security violations must be notified within a maximum period of 72 hours. Regarding preventive measures, now the GDPR establishes the obligation to adopt security measures adjusted to the specific risks for privacy in each company.
The figure of the Data Protection Delegate is very important, since it is the person in charge of supervising the security of the data and the one who will serve as communication link with the competent authority.
The protection of the user is reinforced thanks to several rights and modifications that are intended to increase their decision-making and control over their own data. The right to be forgotten allows to demand that personal data be deleted once the purpose for which they were collected has been fulfilled.
With the right to portability, the user can make use of it if he/she wishes to recover his/her data in a format that allows him/her to transfer them to a different one responsible. Finally, we come to the modification of the definition of consent that we pass with all the implications entailed.
Changes in obtaining consent
The consent is the act by which the person interested accepts the processing of their personal data. The new GDPR maintains this definition, but modifies the necessary circumstances in which this consent is produced.
Article 4.11 reads as follows: “Consent is any expression of free will, specific, informed and unmistakable by which the person interested accepts, either through a declaration or clear affirmative action, the processing of personal data that concern him/her.”
This change means that what was previously known as implied or tacit consent is no longer valid, and this is clearly specified in the regulation that “silence, marked boxes or inaction must not constitute consent”.
The “clear affirmative action” specifies that “it could include checking a box of a website on the internet, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposal for the processing of their personal data “. Viafirma documents allows in a simple way to include reading marked text and unmistakable approval.
Let’s see one by one the main characteristics of consent in the GDPR and what they mean:
In first place, the consent must be free, that is, the interested person must have a real option to accept or not, and in case he/she decides to reject the consent, he/she does not suffer negative consequences.
The consent must be specific, which means that the purposes of the processing of the assigned data must appear specifically and in none of the cases can be extended once the interested person has consented to the collection and processing of their data.
The use of digital signature solutions adapted to the regulations, such as viafirma documents, facilitates compliance with this requirement through the encryption of the information and a time mark that guarantees the inalterability of the document after the signature.
The consent must be granular, this is, that there must be an option of consent for each purpose of the data granted, and informed, that is, that the document includes the data processing need, purpose and temporality, and the rights of the interested and how to exercise them and information regarding the
Responsible and/or Data Processing Manager, as well as the Data Protection Delegate in their case.
In this way, solutions such as viafirma documents that have a template editors to create the consent documents, ensure fulfillment with this requirement in a simple and intuitive way.
Finally, the consent must be creditable thanks to the principle of proactive responsibility (accountability). Not only there is the need to fulfill all the above requirements, but there is the need to be able to verify several details afterwards.
The company must identify the signer with his/her full name or other equally valid elements. Viafirma documents allow to add several evidences for the help of the unequivocal identification of the signer, like photographs and biometric data, geolocation, etc.
If it is a consent made in writing and by online means, it is mandatory to have the time mark for verification. Regarding the information obtained by the interested person, a two-layer model is recommended. The first offers the basic information for the interested person and the second completes with the complementary information necessary to comply with the GDPR.
In short, after this review of the new regulations established by the European Union, solutions like viafirma documents are now more than ever necessary to comply with the GDPR, especially if we take into account that only 10% of Spanish businesses is prepared, according to a survey prepared by Microsoft and IDC.
We will return next week.