The new General Data Protection Regulation was approved almost two years ago, which means that as of May 25, 2018, the adaptation time left by the European Union will be over. What changes does the GDPR bring? How does it affect informed consent?
On May 25, 2016, the EU approved the General Data Protection Regulation (GDPR), with the aim of having a single data protection policy throughout the territory of the union. Said regulation therefore replaces any law of the member countries in said matter. In the case of Spain, this law is known as LOPD – Ley Orgánica de Protección de Datos (Organic Law on Data Protection).
As we already told you back then in our blog, the EU left a period of two years for the adaptation of the regulations then in force and the processes of the institutions and entities that keep, process or simply deal with personal information. Thus, as of May 25, 2018, this regulation will be mandatory.
This change in legislation has been made mainly with the interests of the user in mind, who will have greater protection of their privacy and more rights with respect to the processing of their data. This is why it affects the process of obtaining informed consent since it also includes sensitive information in many cases.
Two fields in which informed consent takes on particular importance are the clinical and laboratory sectors, since they work not only with standard personal data, but also with what is known as sensitive information. Thus the importance of the correct application of the GDPR is even greater in these sectors. In addition, the modification of the definition of consent will also have an impact on the way in which consent is acquired and on each company’s own processes.
What changes does the General Data Protection Regulation introduce?
In an effort to eliminate bureaucratic hurdles, the registration of data with the corresponding authority, in our case the Spanish Data Protection Agency (AEPD), will no longer be necessary, but the company is obliged to keep an internal register.
In order for users to be more aware of what happens to their data, security breaches must be notified within a maximum period of 72 hours. As for preventive measures, the GDPR now establishes the obligation to adopt security measures tailored to the specific risks to privacy in each company.
The figure of the Data Protection Officer is of great importance, since he/she is the person in charge of supervising the security of the data and the one who will serve as a communication link with the competent authority.
The user’s protection is strengthened by a number of rights and modifications that are designed to increase his or her decision-making capacity and control over his or her own data. The right to be forgotten allows you to demand that personal data be deleted once the purpose for which it was collected has been fulfilled.
With the right to portability, the user can make use of it if he wishes to retrieve his data in a format that allows him to transfer it to a different data controller. Finally, we come to the modification of the definition of consent, which we will now go on to unpack with all the implications it entails.
Changes in obtaining consent
Consent is the act by which the data subject agrees to the processing of his or her personal data. The new GDPR maintains this definition, but modifies the necessary circumstances in which this consent occurs.
Article 4.11 reads as follows: “Consent is any freely given, specific, informed and unambiguous indication of the data subject’s agreement, either by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.”
This change means that what was previously known as implied or tacit consent is no longer valid, and so it is clearly specified in the regulation that “silence, already checked boxes or inaction shall not constitute consent”.
The “clear affirmative action” is specified that “could include checking a box on an Internet website, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the data subject accepts the proposal to process his/her personal data”. Viafirma Documents allows in a very simple way to include marked text of reading and unequivocal approval.
Let’s look one by one at the main features of consent in the GDPR and what they mean:
Free
Firstly, consent must be free, i.e. the data subject must have a real choice whether to accept or not, and in the event that he/she decides to refuse consent, he/she must not suffer negative consequences.
Specific
The consent must be specific, which means that the purposes of the processing of the data transferred must be specifically stated and in no case may it be extended once the data subject has consented to the collection and processing of his or her data.
The use of digital signature solutions adapted to the regulations, as is the case of Viafirma Documents, facilitates the fulfillment of this requirement through the encryption of the information and a time stamp that guarantees the unalterability of the document after the signature.
Granular
The consent must be granular, i.e. there must be a consent option for each purpose of the data transferred, and informed, i.e. the document must include the need, purpose and temporality of the data processing, and the data subject’s rights and how to exercise them and information regarding the Data Controller and/or Data Processor, as well as the Data Protection Officer, if applicable.
In this way, solutions such as Viafirma documents, which have a template editor to create consent documents, allow to guarantee the compliance of this requirement in a simple and intuitive way.
Accreditable
Lastly, the consent must be verifiable thanks to the principle of proactive responsibility (accountability). Not only must all of the above requirements be met, but it is also necessary to be able to verify various details a posteriori.
The company must identify the signer with his/her full name or other equally valid elements. Viafirma Documents allows adding several evidences to help the signer’s unequivocal identification, such as photographs and biometric data, geolocation, etc.
If the consent is made in writing and by an online means, it is mandatory to have the time stamp for verification. Regarding the information obtained by the interested party, a two-layer model is recommended. In the first one, the basic information for the data subject is provided and in the second one, the complementary information necessary to comply with the RGPD is completed.
In short, after this review of the novelties of the new regulation implemented by the European Union, solutions such as Viafirma Documents are now more than ever necessary to comply with the RGPD, especially if we take into account that only 10% of Spanish businesses are prepared, according to a survey conducted by Microsoft and IDC.
We will be back next week.