The GDPR updates the rights already recognized in Directive 95/46/EC, incorporates new rights adapted to the digital environment and establishes new obligations arising from the need to meet the challenges of the digital society, characterized by:
• Internet connectivity, which leads to greater intrusion by different operators into the private sphere of data subjects.
• The greater presence of artificial intelligence in everyday life, as well as the increase of Big Data Projects.
• The concentration of information society service providers into a small group of players in dominant market positions, whose business model is based on offering free services that monetize users' personal information.
The challenges mentioned above give rise to the need to reconcile technological development and innovation with adequate protection of the rights of European citizens.
The application of the GDPR implies the existence of greater control measures over entities that process personal data, as well as an impulse for awareness-raising and training in this area.
Currently, according to CIS data, 76.1% of Spanish population are very or fairly concerned about the protection of their personal data. This figure is a clear reflection of society's concern about the processing of their personal data.
As a consequence of the GDPR, on December 6, 2018, Organic Act 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), was published in the Official State Gazette (BOE), introducing several changes, such as the right to digital disconnection and developing further some of the contents of the GDPR.
The incorporation of both texts in the applicable regulatory framework entails the introduction of significant changes in the Spanish legal system, granting greater rights to citizens and posing great challenges for companies that process personal data.
Among all the changes introduced by the new regulations into the legal system (registration of processing activities, new rights for data subjects, obligation to notify security breaches, carrying out impact assessments, appointment of a Data Protection Officer, etc.), the principle of proactive liability established as a new obligation for data controllers by the GDPR stands out.
The principle of proactive liability entails a change of mentality, demanding a conscious, diligent and proactive attitude on the part of the entities with regard to all the processing of personal data that they carry out. In particular, the controller must anticipate risks by applying appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with the standard.
Another change that has arisen concern among entities whose business involves the processing of personal data, is the increase in the amount of sanctions for non-compliance. Sanctions can reach up to 20 million euros or 4% of the annual global turnover.
Finally, it is important to point out that the changes established by the aforementioned regulations mean that business models that have not been able to adapt to the new market rules will be outdated. However, business models that have seen an opportunity in the new regulation will enjoy a competitive advantage in the market.
Begoña Moreno Pérez. Attorney, Legal Department PONS IP.
Estrella Arana Gálvez. Attorney, Legal Department PONS IP.