One of the consequences for businesses is that they will have to (and have already begun to) reduce their databases by half. But this does not have to be a bad thing, it may mean more robust, more useful and more valuable databases.
May 25 has arrived. But it is not the end, it is only the beginning, stressed Javier Marzo, a partner of Garrigues’ Corporate/Commercial Law Department, as he launched the Data Day event organized by the firm on the first day that the General Data Protection Regulation (GDPR) came into force, with a view to addressing key questions regarding the new European regulation. Javier Marzo reminded those present that the regulation has generated and continues to generate uncertainty in practice and this is where the firm wants to be there for clients and help them navigate the changes.
Alejandro Padín, a counsel in Garrigues’ Privacy and Technology area, explained the aspects that need to be taken into account now that the date that all businesses had circled in their calendars has arrived. He spoke about the regulatory environment in the short and medium term in Spain and the EU and analyzed the amendments tabled to the Spanish Data Protection bill in the Spanish Parliament.
Alejandro Padín explained that the new regulation has dramatically changed the way data is handled by organizations: “It is a huge success and everyone has finally realized its importance”. Like Javier Marzo, he too wanted to send a clear message to those present at the Garrigues Data Day: “This is not the end of the world, in fact it is simply the beginning”.
More robust and more useful databases
One of the consequences for companies is that they will have to (and have already begun to) reduce their databases by half, but as Alejandro Padín indicated, “this does not have to be a bad thing, it may mean more robust, more useful and more valuable databases”.
Regarding the regulatory changes, he reminded those present that just a few days ago a corrigendum of the GDPR due to translation issues was published in the Official State Gazette. This document had been around since April but went beyond a mere corrigendum and introduced some significant changes to the Regulation.
He also indicated that the Spanish Data Protection Bill has not progressed much over the last few months: “The amendments are ready but there are so many that it will probably take longer than expected. In fact I very much doubt that the law will be ready before the end of the year”.
Once the new Data Protection Law is ready, the implementing regulations will need to be approved in a royal decree. National laws in all the other European countries are also expected, together with new guidelines by the Article 29 Data Protection Working Party and actions by the national data protection agencies. In relation to this last aspect, Padín highlighted that what agencies in other countries have to say will be very important, since the GDPR is shared legislation and rulings by the data protection authorities in other States could set precedents. This will make it necessary to follow data protection rulings very closely.
Data Protection Officer
Another of the key aspects relates to the data protection officer (“DPO”). Katiana Otero, an associate of Garrigues’ Privacy and Technology area, explained the salient aspects to be borne in mind in this regard. She referred, for example, to the requirements that DPOs must meet under the new legislation: technical and legal knowledge with proven experience in privacy legislation, knowledge of the company and its sector of activity, and professional ethics. DPOs must also be particularly careful to avoid both internal and external conflicts of interest. She also addressed other issues that may generate debate in the future: the nature of the employment relationship between the company and its DPO, whether the DPO’s employment contract should be modified, and whether he/she can be dismissed and in what circumstances.
Alejandro Sánchez del Campo, an of-counsel at Garrigues, analyzed the challenges currently faced in the area of big data and artificial intelligence (AI). He started by exploring the concept of AI and went on to speak about the challenges posed, in terms of responsibility, by potential algorithmic bias, and he also reflected on whether it makes sense for robots to be declared electronic persons, as suggested by the European Parliament, the principles that should be applied when designing AI and the latest press release by the European Commission stating that Europe needs to invest at least €20 billion so as not to be left behind. He ended his presentation by referring to some of the real uses currently being made of big data.
Francisco Pérez Bes, general secretary of Spanish National Cybersecurity Institute (Incibe) rounded off the day by explaining that the GDPR is a “a new regulation that seeks to change the way data is protected: we have gone from simply having to meet certain requirements to now having to take responsibility and choose the technical and organizational measures that are most suitable and effective for each organization”. But he invited those present to see it as an opportunity. “This should be viewed as corporate culture, with constant and permanent obligations in order to ensure data is protected: it is a legal and ethical obligation, but it also involves corporate social responsibility, good business practices, professional diligence, etc.”, he indicated. Finally, he highlighted the importance of adopting technical and organizational preventive measures in order to protect companies’ security.