THE 10 BASICS OF DATA PROTECTION

This entry is also available in:
  1. Types of personal data: Basic or ordinary data (Name, Surname, Telephone, Address, etc.) and special or sensitive data (health, religion, sexual orientation, ideology, trade union membership and similar).
  1. Unambiguous consent and grounds for legitimacy: The person to whom the data to be processed belongs, must give prior, express and informed consent and it must be possible to evidence it (in writing in a contract or authorization, by recording, by checkbox, etc.). When it is not possible to prove through consent or contract the data processing, it will be possible to legitimize it on other bases, but only if it is a processing for vital interests (e.g., emergency call), in the public interest (e.g., civil registry), by legal obligation of the entity that will process it (e.g., identification of persons) or for legitimate interest (e.g., security cameras).
  1. Rights of individuals as holders of personal data
    • Right of access to know what data is available and how it is used.
    • Right of rectification, if the information is inaccurate or incomplete.
    • Right to object to the processing of your data.
    • Right to erasure or right to be forgotten: deletion of your data.
    • Right to the limitation of data processing.
    • Right to portability: the ability to request that your data be transferred directly from one organization to another.
    • The right not to be subject to automated individual decisions.
  1. Keep the interested party informed: The entity as Data Controller and owner of the database (e.g. a telephone operator) and its suppliers, as Data Processors, shall keep the data owner informed in a concise, transparent, easily accessible and clear and simple language.
  1. Data Controller and Data Protection Officer: In any activity that manages personal data there must be, at least one person responsible (natural person) for the protection of the same to ensure compliance with the provisions of the RGPD. Who can be the Chief Security Officer (CISO). If the entity’s activity depends mainly on the processing of personal data, it will be necessary to appoint a DPO to assume these functions and to coordinate with the CISO on the security side.
  1. Principle of proactive responsibility: Implies that any person or entity that processes data of a third party must be aware of what data it processes, for what purpose, how and for how long. To do so, a risk analysis must be performed on the different processing operations to be carried out and, based on the results, security measures must be established to guarantee privacy and comply with the regulations.
  1. Recording of processing activities (RAT): In order to demonstrate control over this proactive responsibility, public and private entities are required to have an internal record of data processing activities. Except in private companies that have less than 250 employees and do not process sensitive data or data that entail a risk for the affected parties, in which case it will be recommended, but not mandatory.
  1. Data protection by design and by default: Measures must be taken from the outset of data processing design to comply with regulations and, by default, only strictly necessary personal information must be managed. This should not be limited only to secure development at the technical level, but should be applied to any project involving new data processing (e.g. replacing card access control with fingerprinting, proposing to provide a new service or product, opening a new office in another country, etc.).
  1. Impact assessment: This is a specific risk assessment complementary to the above. In data processing involving high risk, for example, the handling of sensitive information on a large scale (e.g., health data) or a major change in processing technology (e.g., automation of services), an impact assessment will have to be carried out prior to the start of processing.
  1. Notification of a violation: The Police must be notified and the Spanish Data Protection Agency, or the supervisory authorities of the corresponding country, must be notified within 72 hours when there is a security breach (accidental or unlawful destruction, loss or alteration) of personal data. In the case of a high-risk violation, the owners or the media should also be informed when this is not possible on an individual basis.