How to Adapt Online Business to the Data Protection Regulation
You cannot save the personal information you have when you have an internet business, nor can you save the personal information you have when you have an Internet business. It would help if you guaranteed its availability, confidentiality, and integrity.
General Data Protection Regulation in Online Business
The right to data protection belongs to all people, and it is very relevant, even at the constitutional level. Therefore, you must ensure that all the information you are responsible for is protected in your business.
However, in the technological age, we are more vulnerable than ever, which has given rise to essential regulation. The European standard of the RGPD has implemented an equalization in the regulation of the data protection laws of all the communist countries and had a deadline of May 2018.
Now, therefore, Law 3/2018, December 5, or what is the same, the new organic law on data protection and guarantee of digital rights (LOPDGDD), has entered with great prominence.
If you’ve come this far and you’re thinking, who will notice me if I’m just a small online business? Be careful! The regulation will mark a line that will separate responsible, committed, and competent professionals from those who are not. This will not go unnoticed by those who visit your website.
What Opportunities Can the LOPDGDD Give Business On The Internet?
The most important factor of the LOPDGDD (Law on Protection of Personal Data and Guarantee of Digital Rights) is commitment, so you must show a proactive attitude and not think of data protection as a change that will later remain static. Now, the protection of personal information has a top priority and is an unavoidable commitment. In your online business, you must consider the nature of your work, the context, the purpose of data processing, and its risks.
Therefore, currently, a copy and paste from another web page will not be worth it to fulfill your obligations. Also, keep in mind that compliance with the regulations must be a defensive shield against security breaches in storing the information you collect. In short, the guarantee of the right to data protection must be constant.
Fundamental Changes You Must Make To Your Website
The GDPR proposes many changes, some more visible than others. In the case of an online business, there are some fundamental steps that you have to take. Why? Because the opposite would mean losing the ability to compete with other companies and serious penalties. Do not worry, and we will tell you what to do so that this does not happen.
The Consent
Consent is the most important aspect you must consider in your business since it encompasses many attitudes that we have allowed ourselves until now, which are already prohibited. For example, before, you could have the boxes for “I have read and accepted the privacy policy” and the one for “I accept the sending of promotions and advertising.” Forget about the pre-ticked boxes; now, putting the tick is the exclusive task of the user.
In addition, you should always specify what you will use the data you request from your users for. If you are going to use it for a different purpose at any time, you must request consent again. Said consent must be express, explicit, and unequivocal. Therefore, if you have data collected before the LOPDGDD, request consent again if you had these pre-marked boxes.
ARCO Rights and the Right to be Forgotten
Natural persons have new rights, so, in your online business, you must know the famous ARCO (access, rectification cancellation, or opposition) rights and the right to be forgotten. Once you have data from natural persons in your online business, they have the full right to access them, rectify them, cancel them, and oppose them. They also have the right to be forgotten, on your part, of said data.
You have to tell them how they can exercise to them for free. The most common is that you provide them with an email. Once you are asked for any of these rights, you must respond within a month or be exposed to serious sanctions.
Do You Need a Data Protection Officer (DPO)?
The new figure of the DPO is not mandatory in most cases. It is only essential when dealing with large-scale or especially sensitive data. In the case of Internet business, this is not usually the case unless, for example, you have data on health, ideology, etc.
File Enrollment V/S Activity Logging
Before, you needed to register files, but with the LOPDGDD, a record of the data processing activity is mandatory, which remains under your responsibility.
In this record, you will include the nature of the information you collect, what you use it for, if you share it and if you transfer it to third countries, and your security measures. You must make it available to the AEPD if requested. In addition, in a digital business case, it is highly recommended that you expose it publicly.