What is data protection and why is it important for an SME?
Easily guarantee the protection of your customers' data through two platforms.
Since the General Data Protection Regulation or GDPR became directly applicable in Spain in May 2018, data protection has become a recurring theme in the business world, as all companies have had to (or should) adopt measures to protect personal data, and thus "dodge" the heavy fines imposed by the new regulations.
In practice, the business world has been adapting unevenly. Although we do not handle data from this 2021, the latest studies concluded that around 48% of Spanish companies have not finished implementing the necessary measures to comply with the GDPR, even though 69% of the EU population over 16 years of age has heard of the GDPR according to the 2020 Fundamental Rights survey: Your Rights Matter: Data Protection and Privacy, by the European Union Agency for Fundamental Rights.
If you are interested in ensuring that your company complies with the regulation with all the guarantees, you are interested in reading on.
At this point you may be wondering: what exactly is personal data? A personal data is any data that identifies or allows to identify a person (name, e-mail, telephone, gender, age, disability, employment, tax identification number ... and so on).
Personal data is any data that identifies or allows the identification of a person. Data protection is a fundamental right.
Data protection is a fundamental right (in fact, it is recognized as such, on the same level as the right to health, dignity, etc.) of all natural persons that imposes on companies (data controllers) to comply with a series of obligations and principles in order to protect the personal data of their customers/suppliers/employees (data subjects). In short, it is a guarantee that this right is respected and that the data is used only for what is necessary.
Proper privacy management will bring numerous medium and long-term benefits to the company, such as improved reputation, better asset management, greater competitiveness, less exposure to breaches and incidents and, above all, a guarantee of compliance with regulations so as not to be fined and/or sued, with the costs that this entails. The truth is that they do not necessarily have to be high in the context of a small company, especially if its core is not technology.
What determines how you should act is the volume of personal data you handle and its sensitivity.
The Spanish Data Protection Agency (AEPD) is the public body responsible for ensuring compliance with the rules (GDPR and LOPD-GDD). Aware of the challenge that a correct adaptation can pose for SMEs without an expert, it has made available to citizens free tools, that we explain below, so that you can decide which one suits your needs and start testing your level of compliance now:
This tool is aimed at small companies that carry out processing operations that do not make significant use of new technologies. It is free and consists of a series of questionnaires that generate mandatory documents and guides to assist in compliance.
This tool is aimed at companies that carry out treatments that make use of new technologies. Like the previous one, it is free and consists of a series of questionnaires that generate mandatory documents.
How do I prove compliance?
Just as important as complying is being able to prove it. The GDPR is based on the principle of proactive responsibility, which implies that the responsible party must comply with its obligations itself and be able to prove it.
The key documents that you must generate and keep updated are:
- Pre-completed Treatment Activities Register (RAT).
- Incident log sheet template.
- Contractual clauses to be included in the contracts you sign with data processors and suppliers.
These documents are generated by the tools we mentioned in the previous section.
However, downloading and completing the tool does not imply automatic compliance with GDPR. In addition to this, there are many obligations that could affect you in certain cases, such as the obligation to appoint a DPO, implement security measures, retain consents, or be able to respond to the exercise of data subjects' rights.
Therefore, if you are not clear on how to "land" all the obligations in your company, nothing like expert advice to ensure that you comply with all the guarantees.