How to apply the RGPD and not die trying

The entry into force of the RGPD (General Data Protection Regulation) is how climate change, affects us all equally.

Whether you are a large company, an SME, an autonomous or a mere user, absolutely all share data on the Internet that are likely to be stolen or used against our interests.

From 2016 to 2017 there was a 160% increase in cyber attacks that were aimed at the theft of personal data from different companies. In total more than 2 billion data have been stolen this past year.

The creation of a new regulation that would make us stronger in the face of these threats was absolutely necessary. If there are no laws like this, we might see ourselves facing a situation similar to the one posed by chapter 3 of the fourth season of Black Mirror, where the State could see our memories and even use them. Science fiction, in and of itself, is not a solid argument, but it would not be the first time that it predicts something that ends up happening in real life.

With the new RGPD we have gone from a reactive model, in which one acted once the data had already been stolen or were in danger of being stolen, to a proactive model whose objective is to stay one step ahead of those attacks.

This regulation applies both to companies that develop their activity in Europe, as well as to those that, although they are not in this territory, treat personal data of European citizens.

News of the new regulation
Do you remember that with the LOPD was mandatory requirement to notify the files to the Spanish Agency for Data Protection? Well with the RGPD this disappears. The famous file is replaced by a record of the data processing operations performed.

Express consent

This is one of the pillars of the new European Regulation. From now on, in order to process personal data (such as name and email), the user must express his or her consent to this end in an express, unequivocal, free and verifiable manner. This means that in order to register with our database, users must make a confirmation action in which they have read and accept the privacy policy and the use we will make of their information.

Greater information requirements

The RGPD obliges us to clearly inform about the storage and use aspects of our users data.

The idea is that users can make decisions based on the information they receive. And for that, they must first understand what we are telling them. Therefore, the RGPD requires full and simple reporting and explaining the concepts without abuse of technicalities, so that any interested person knows 100% what they are reading.

Greater control over who you share information with

The new data protection law also covers third parts with whom we work on a regular basis and with whom we share personal data. We will have to make sure that the policies of our suppliers comply with the RGPD; whether from the European Union or from outside, we must check that they meet the new requirements (most of the tools that entrepreneurs use have made adjustments to adapt to the RGPD or are in the process of doing so, so in principle this will not be a problem).

Right to forget

Another of the great innovations of the RGPD is the emergence of new rights for users, and among them the right to be forgotten stands out. From now on, users can revoke the consent given at any time and demand the elimination of our data. On the other hand, as users we also have the right to portability and limitation of treatment.

Sanctions

The owners of the data may claim compensation if they detect a bad treatment of them. When determining the amount of the sanction, the total volume of the business will be taken into account and this will favor the search for compliance even by the large multinationals.

How to apply the RGPD and not die trying
Basically, the application of the new RGDP is to record in detail the information of our users, adapting the contracts and forms to a personalized privacy policy.

Two are the obligations to be taken into account for compliance with the new law:

The first obligation is to link an initial information with a more complete one. It is a layered system: A link from the first layer to the second, where the conditions of the privacy policy are detailed, and to which we link from the subscription form itself.

The second obligation is: to ensure express consent: The user must accept the privacy policies. It is not enough not to take any action. In no case may be considered one of the ways to accept the conditions of the policy. You must show when you gave your express consent, which is reflected in a list.

The steps necessary for a complete adaptation to the Regulation are the following:

Step 1. Adjust and adapt the legal texts of your digital business

The conditions of your privacy policy must be accepted, expressly by users. With the RGPD we must have the text adapted to our particular circumstance and contemplate our conditions: tools, plugins and third parts who have access to the data, purpose, etc. There are applications to generate the texts automatically. To do this, you must complete the information about your business, and you can download the templates for your website. One of them is the LEXblogger, known as one of the applications for the legal adaptation of your website.

Step 2. Adapt the subscription forms to the RGPD

You have to add a new checkbox in the subscription forms informing about the privacy policy and that you must be required to sign up to subscribe. You also have to add a legal tagline where links to your privacy policy.

And how does the RGPD affect old subscribers?

Here is responsible for the digital entrepreneurs and bloggers we have thrown our hands in the head for the entry into force of the new data protection law. What about the subscribers who joined your list before the RGPD arrived? Are they affected by the regulations?

Yes, it affects them, because the law now says that to conserve contacts, it is mandatory to convert all tacit consents into explicit and verifiable consents. That is: We have to inform the former subscribers of the RGPD requirements and ask them to read and accept the new privacy policy if they want to continue being part of our community.

The problem here is that not everyone is going to reconfirm, so the RGPD is going to involve the loss of many subscribers. But even if it is a task and the work and effort of years are loaded, the law must be complied with.

Step 3. Adapt the contact forms

We must start from the distinction between the contact form of the subscription. They do not have the same treatment or the same purpose. The contact form is a clear gateway for potential clients. Despite their differences, both forms must be adapted in the same way to the aforementioned regulation. Without forgetting that a person is not giving his consent with the always done writing through the contact form or to be a subscriber or receive your emails.

Step 4. Adapt blog comments

In case we are talking about a blog, we should adapt even the comments. Since when we comment on the articles of the blog we can collect personal information such as name, email

Step 4. Adapt blog comments

In case we are talking about a blog, we should adapt even the comments. Since when we comment on the articles of the blog we can collect personal data such as name, email and IP (and the new data protection law considers the IP as personal information). So in this case, we also have to add the legal tagline and the checkbox.

Step 5. Add legal tagline in all your emails

Newsletter, sales emails, automatic replies or emails from your business email account, all must carry the legal tagline below the signature.

There is also the possibility of hiring a professional in the field. Specialized lawyers that offer good advice in exchange for a small fee.

Main photo: Sharon Mccutcheon