8 most common infringements of the GDPR
The dreaded / long-awaited GDPR is here. After months of announcements of all kinds about the need to prepare for its entry into force, the time has come for the implementation of the European Data Protection Regulation … and many companies are going to be caught with a changing pace.
In fact, a year ago we told you how almost half of the organizations and companies with more than 1,000 employees worldwide (47%) considered that they were not prepared to comply with the RGPD within the deadlines with the requirements that it establishes. It was one of the main conclusions of a study carried out by Veritas Technologies, which revealed that 86 percent of the companies consulted believed that not complying with the new regulation could have negative consequences on their business.
And it doesn’t seem like that has changed too much.
You just need to check the brutal avalanche of emails that we are receiving these days from a good number of companies of all kinds, asking us to renew our consent for the processing of our data. A somewhat absurd process: if they had our data, they should already have our consent for it, and requesting their verification again can only lead to the loss of a good part of their records, which will not open those emails, or will not complete the process. On the other hand, if they did not have our consent beforehand … they were committing illegality.
Most common GDPR violations
Perhaps, for this reason, the Coverfy team, the app that allows you to manage all insurance from your mobile, has made a tour of some of the failures that can cause cases of infringement of the most common data protection laws of electronic businesses, businesses, and digital startups, and for which it is recommended both an action plan and having data protection insurance for involuntary breach.
And remember: the GDPR applies a much stricter penalty regime, significantly increasing penalties. Specifically, the amount of the penalties may reach 20 million euros or 4% of the total annual turnover of the previous financial year. You should do it right
1. Have a ‘tacit’ consent system for the use of user data.
Until today, the user’s data could be used as long as he did not pronounce himself and said otherwise after notifying him. From now on, it will be necessary to receive an affirmative response from the client.
2. Not having an age verification system
Regarding the consent of minors, it will be lawful to provide it without guardians when they are 16 years old, although the RGPD leaves open the possibility for each member state to establish other lower limits as long as they are not less than 13 years old.
At this point, in addition, there will be changes in the new LOPD, as the Spanish Agency for Data Protection is studying reducing the age for consent to process personal data to 13 years. In addition, the new law will allow the heirs to access the data of the deceased persons for deletion or rectification.
3. Not having a complete data collection system
It is not only key to safely handle data, but to handle data that is accurate, adequate, relevant, and limited to what is necessary. So that the entrepreneur or person responsible for handling the data does not incur an infringement by handling inaccurate data, he must put all the necessary measures so that the client gives him the most faithful information possible.
4. Not having a regulated internal data use policy
It is essential that the entire staff or the self-employed person has a correct database use policy defined. If due to an oversight or ignorance, someone uses a customer’s data for another business activity for which it is not allowed, the penalty would be substantial. It is also a fundamental point in the co-working spaces of companies, where you have to be extremely careful in how you use and transfer this type of information on a day-to-day basis.
5. Not having a data protection officer (Data Protection Officer or DPO)
In relation to the previous point, one of the main changes in the new law is the appearance of the ‘voluntary’ figure of the DPO, which will be ‘mandatory’ in the case of organizations whose main activity requires regular and systematic observation of interested parties. on a large scale, or consists of the large-scale processing of special categories of personal data. Likewise, a Data Protection Channel must be implemented that serves to receive and record incidents and risks of security violations and attention to rights.
6. Terms and web conditions
The policies and terms of the web must be correctly written. Many beginner mistakes are based on copying them from other pages and it is in these sections where the inspections put more emphasis.
7. Not having a good computer system against cyberattacks
In the new digital business territory, information security protection systems and / or protocols to protect against third-party attacks are essential, especially if someone else’s personal data is used.
8. Do not include the evaluation and prevention of risks in the management of the company
In order to effectively manage, analyze and prevent, the company must have a specific section or protocol for risk assessment in this area, as well as action plans already prepared in the event of possible crises, were to develop how to act before the law, the authorities and the people who have given the data.
Other Helpful Security Tips for Digital Businesses and Startups
- The companies that develop or market applications must have Civil Liability insurance, which covers any claim by the client.
- Companies that are dedicated to advising, whether professional or product, must have Professional Civil Liability insurance that covers possible claims from clients caused by errors and / or omissions.
- Electronic businesses and internet sales companies must have Civil Liability insurance against Computer Attacks, to avoid drops in the network that make them lose sales.