WHAT IS GDPR (General Data Protection Regulation)?
He General Data Protection Regulation (GDPR) These are the laws established by the European Union (EU) in its legislation concerning data protection and privacy within the EU and the European Economic Area. However, this regulation also addresses transfers of personal data outside the EU for practical reasons.
The GDPR was adopted on April 14, 2016, and came into effect on May 25, 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but it provides flexibility for certain aspects of the regulation to be adjusted.
The aim of the GDPR is to give individuals control over their personal data. With this, the EU seeks to unify the regulations and requirements for the processing of personal data of individuals within the European Economic Area. However, it applies to any company processing personal information of individuals within the Economic Area, regardless of their location or residence. The GDPR replaces the Data Protection Directive 95/46/EC.
This regulation establishes that companies that control and process people's personal data are obliged to implement all data protection principles, so all business processes involving the handling of personal data must be designed taking into account the principles established in the GDPR to protect the information.
Information systems must be designed with the priority of maintaining privacy, as established by law. This translates into privacy settings that prevent data from being accessible by default, thus avoiding the identification of an individual through this information.
It is also stated that the processing of personal data should only occur under the six bases specified in the regulation: consent, contract, public task, vital interest, legitimate interest, or legal requirement. Furthermore, if the data subject provides their data based on consent, they have the right to withdraw it at any time.
On the other hand, companies that collect data must declare the legal basis and purpose of data processing, and indicate how long the data is retained and whether it is shared with third parties.
Every business will be obligated to protect all data it holds about employees and customers, always prioritizing the least possible interference with the privacy of employees, customers, or third parties. Internal controls and regulations are necessary, such as audits, and data subjects will be able to request a copy of the collected data and request its deletion. Public authorities and companies whose core business is the regular or systematic processing of data must appoint a Data Protection Officer (DPO), who is responsible for managing compliance with the Regulation.
