We've all received a torrent of emails warning us of privacy policy changes from every company we have any relationship with or account with. So many that it crashed MailChimp's servers for hours. The reason:
the new GDPR law, or General Data Protection Regulation (GDPR) in Spanish, which comes into force today.
It is a European-wide law that updates the old Organic Law on Data Protection (LOPD) and tightens the requirements for companies that handle our personal data, restricting its use and giving our users and customers more rights over its handling and storage. This is a positive and good thing, since in the times we live in, data can change hands with incredible speed and accumulate in large pools of big data , which facilitate social manipulation on a scale unthinkable a few years ago, and therefore must be under some kind of control.
But, on a practical level, if we have a published website, how does it affect us?
In principle, this is a legal/administrative matter, and we won't go into the details of the law, but we can say that it is quite ambiguous and open to interpretation, so time will tell where its limits and tolerances lie. In any case, after consulting several experts, we can say that:
1) All forms on our website must have a checkbox where the user acknowledges having read our privacy and data handling policy and agrees to it. Important: the checkbox should not be pre-selected; the user must select it themselves. We haven't met anyone who has read it yet, but it must be there.
2) Our privacy and cookie policies have changed slightly, so we recommend consulting your advisors to adapt them to the new regulations.
3) There is a new "Data Protection Policy" section , which can be added to our privacy policy or legal notice, but it is recommended that it be its own section. Again, we refer you to your advisors for the text of these.
4) In the previous sections, we must provide our users with the means to review, modify, or delete their data from our systems. In practice, providing an email address will suffice so they can contact the company with their requests.
5) If we issue a newsletter , we must ask for permission again to continue sending it, to be 100% sure that we have your explicit consent, whether you are an individual or a company.
6) As with the Data Protection Act (LOPD ), we must implement reasonable measures to protect our users' data. The word "reasonable" is extremely ambiguous, so we'll have to wait and see how different government agencies and courts clarify it, but in principle, we must keep all our equipment up-to-date with updates and antivirus software, password-protected, and physically inaccessible to outside eyes.
If you are a BE Creativos client, we will be happy to help you with the technical changes necessary to adapt your website to the new law. However, on a legal level, we refer you to your trusted data protection advisors. If you don't have a trusted advisor, we recommend ours: Green House Consultores .