Every time a user browses the Internet, they share their data. Sometimes without being fully aware of it. From the moment you accept cookies from a company’s website, for example, you are informing this organization about your browsing habits. When you register on a page, you are giving up data from your personal sphere, such as your telephone number or your email, without it often being easy to know how the company can use them.
This information, explains Luis A. García, co-director of the Master’s Degree in Data Protection and Security at Nebrija University, in Madrid, is essential for companies to carry out their activity. They handle and store it to offer their goods and services. “An educational center needs students to provide certain personal data to teach them the course,” explains this expert. Just like a small business, it needs the phone numbers of its customers to dispatch their orders through WhatsApp or to send them a newsletter with offers. In addition, companies and self-employed workers can take advantage of this information to carry out studies and improve their operation, even to launch advertising campaigns. A legitimate use, indicates García, as long as the user is transparently informed about what data is going to be used, what will be the purpose of use and, above all, they grant their consent.
But companies and the self-employed must be clear that all this data does not belong to them, but is the property of the people who give it, whether they are users, clients, employees or suppliers, says Ramón Miralles, a professor at OBS Business School, a specialist in Law of Information and Communication Technologies (ICT). For this reason, the main obligation of organizations and self-employed workers will be to protect them, because poor custody can cause the leak of compromised information. And to avoid this, they must know the law and have the physical and digital means to guarantee that protection.
The management and custody of personal data is governed by the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPD GDD), in force since 2018. This law is part of the General Data Protection Regulation (RGPD ) of the European Union (EU). Francisco Torres, data protection officer of Banco Sabadell Group companies, who will participate in the webinar Protection of your customers’ data: is your company prepared to comply with regulations?, organized through Banco Sabadell’s HUB Empresa, indicates that this law places the owner of the data at the center of decision and requires that companies and the self-employed exercise responsibility to guarantee privacy. Jaume Feliu, engineer and executive director of the PymeLegal consultancy and data protection delegate, who will also participate in the webinar, explains that non-compliance entails sanctions of up to 4% of the previous year’s turnover or 20 million euros, in the most serious case.
Sign up for the webinar
What kind of data should companies protect?
Based on the impact that data leaks would have on the user’s right to privacy, Spanish law distinguishes between basic data and special data.
● The basic data is the most elementary: name, sex, national identity document number (DNI) or mother tongue, among others. Also those that refer to social circumstances and lifestyle, such as marital status, educational level, as well as the characteristics of the home in which you reside, your salary or the subsidies you receive. This classification also includes information of a multimedia nature, such as the signature or the images captured with a video surveillance camera.
● Special data covers all documentation that, if leaked or improperly used, may affect the fundamental rights and freedoms of the holders. They include those related to ethnic and racial origin, religious convictions, genetics, biometrics (such as facial recognition or retina analysis), as well as those referring to sexual orientation and health, both physical and mental. “This is the case of a private health center that needs information on the health status of its patients in order to care for them. If this information were revealed, the damage to the user’s reputation would be greater than if their email address were leaked”, points out Carmen Aguilera, head of the legal department of the Atico34 group, a consultant specializing in data protection.
How should a company protect the data of the people with whom it interacts?
The law requires companies and the self-employed to maintain security measures to guarantee the protection of data, both in physical and digital format. But it does not oblige to take concrete actions, since not all companies, Aguilera points out, have the same economic capacity or handle the same volume of information. The Spanish Data Protection Agency (AEPD), the public body in charge of ensuring compliance with the law, offers a series of recommendations.
The information can be stored in physical or digital supports and each one requires its own measures. Data stored on traditional media, such as paper, must be stored in a way that prevents unauthorized access. Aguilera points to the usual methods: locked cabinets and drawers in offices with restricted access. “It should be complemented with alarm systems,” she points out.
In the case of digitized information, Aguilera points out that the main thing is to protect the documentation stored in the computer equipment and in the user accounts by means of passwords. “The recommendation of the experts is that it be alphanumeric and contain at least eight digits. In addition, it will have to be changed every three months or six months ”, highlights this expert.
Backups ensure that information is always available. Aguilera specifies that the most appropriate thing is that it be kept on at least two supports: a physical copy, on hard drives, and another on a server in the cloud. Hard drives must also be protected in the same way as other physical media.
Within the company, the data can be used without revealing the identity of its owners. It is a technique called dissociation or pseudonymization of data, which consists of using personal information without assigning attributes that identify its owners. “To develop an equality program, only a few pieces of information are needed, such as the gender of the employees and their training, for example. This way you limit the use to the most essential”, describes Aguilera.
For what purposes can a company use the data?
Miralles points out that it is legitimate for companies to use their customers’ personal data for their business activities. “But they have to make it clear for what purpose they are going to do it,” he warns. Every time a user provides some data through the web page, for example, the company has to indicate the purpose and ask for their consent. In the case of a communication via the web, Aguilera explains, the company will ask the user to click on a box to grant her consent. Next to this box, the company must display a text with a link that takes the user to the section of the web page that includes the privacy policy. “It is about the famous phrase ‘I have read and accept the privacy policy,’ explains this expert.
The section dedicated to privacy must include a description of all the procedures through which the company obtains personal data, in addition to the rights of users in detail and an inventory of the uses that will be given to them. For example, attention to requests for information, management of data provided by candidates for a job or sending commercial communications via email.
Companies also handle internal data of their employees. In this case, they must agree with them a commitment of confidentiality and transfer of data. With providers that access personal information, such as security cameras or tax consultants, special contracts will also have to be established to guarantee the privacy of this compromised information.
What rights does the user have regarding the data that they transfer to companies?
Companies and self-employed workers must not only guarantee the privacy of information about natural persons. It must also be available at all times to the user who decides to request it and, above all, guarantee its integrity. In this case, Miralles explains, a copy will have to be delivered to the user, who will be able to claim its rectification in case it contains errors.
If the user claims that their data be withdrawn, the company has to comply with their request, although they will not always be able to delete all of them, explains García. Aguilera adds that, by law, they have the obligation to keep certain information, such as an employee’s payroll record or the receipts that verify the payments of a student in an educational center. “In the future, public entities may request this documentation from the company.” In accordance with the legislation, you will have to respond in less than a month explaining what information has been deleted and what cannot be deleted. The most common, Aguilera points out, is for users to demand that their data disappear from commercial communications lists, such as telephone or e-mail advertising.
Companies with a large volume of data —more than 50,000 records— and those of any size that handle compromised information, such as schools, health centers and marketing companies, must have a data protection officer. This professional must have the qualification of the AEPD, a degree that is obtained through an exam or by demonstrating their knowledge in the sector, by holding, for example, a university degree in Law or having worked in the field of law. data protection, says Aguilera.
Where can SMEs find out about data protection?
Luis A. García, co-director of the master’s degree in Data Protection and Security at the Nebrija University in Madrid, indicates that any entrepreneur must integrate data management into their business plan from the outset. The Spanish Agency for Data Protection (AEPD) has digital guides and provides advice so that companies adapt their activity to the legislation. In addition, there are consultants that help any organization to manage and protect their data and resolve any incident.
Resorting to a consultancy, explains Jaume Feliu, an engineer, executive director of the consultancy PymeLegal and data protection officer, is especially useful for organizations that handle sensitive data. In this way, they will be able to carry out a detailed analysis of the risks of processing this documentation in order to manage it more safely and efficiently. It will also be useful to have the professional advice of an expert bank manager in this matter.
Five Days agenda
The most important economic appointments of the day, with the keys and the context to understand their scope.
RECEIPT IN TU CORREO
