Enrique Reina, professor at the School of Engineering - Tecnun and Delegate for the Protection of data of the University.
European Data Protection Regulation data
From now on, consent for companies to send you offers of new products or services in the future must be collected through an affirmative action of the Username
We have been suffering for weeks now from a barrage of messages inviting us to renew subscriptions to newsletters and advertising by email. Mobile apps insistently remind us that we must accept new privacy policies if we want to keep them working. What is behind this campaign that links big companies like Google with an e-commerce store or the garage where we changed the tires on our car years ago?
The European Data Protection Regulation data will start to be applied today. It is a rules and regulations of obligatory compliance in all the countries of the European Union, which unifies the different existing national legislations. Among other new features, it includes several measures to provide greater transparency to the information received by Username at the time of giving consent to receive future offers of new products or services.
The most important change is that, from now on, this consent must be collected through an affirmative action by Username. In other words, it will no longer be sufficient to fill in a form with a checkbox on the last line next to the well-known text: "Check here if you do not wish to receive any more messages". Instead, for the consent to be valid, it will be necessary to check a box to indicate that you do want to receive messages, or to perform some other action that shows the interested party's willingness to continue receiving advertising. Pre-ticked boxes are also no longer valid. If the Username wants to receive information, he/she must check them himself/herself and clearly request it.
On the other hand, the business that performs the marketing will have the obligation to prove that the consent was taken under the above conditions. The most common way of doing this is what is known in the jargon as "double opt-in": the interested party expresses his willingness to subscribe to the service, and has to reaffirm it by marking a personalized code that he receives by e-mail or SMS.
In addition, the Regulation prohibits the use of data that has not been collected under these consent conditions. This is why all companies are rushing to renew their old data instructions by means of "re-opt-in" campaigns in which they once again apply for the permission of their subscribers, this time with positive consent and double opt-in. It is worth the risk of losing customers who do not reply or reply negatively if you get a fully legalized database .
The new rules and regulations also makes it mandatory to inform with transparency, at the time of collecting consent, what is going to be done with our data, especially in the event that the business to which we are giving them is going to transfer them to another, as well as the time they will be using them. The Regulation has added to the already known ARCO rights (access, rectification, cancellation or deletion and civil service examination to the processing of data) the new right of portability of the data between companies, and has created two new types of sensitive or specially protected data , the genetic and biometric data , which are added to the existing ones: religious beliefs, political ideologies, sexual life or orientation, membership union, data health, etc.
Finally, what has the European Union done to encourage the implementation of the new measures? Firstly, it has created the figure of the Data Protection Officer data. We should get used to its acronym, DPO, because we will find it at the bottom of many e-mails. This is an independent expert, a sort of "ombudsman for Username" who must advise the business or institution for which he or she works (Public Administrations are also subject to the Regulation and must have their DPO) on compliance with the data protection legislation, becoming an intermediary between the data protection authorities, the companies and the people affected, who can exercise their rights through the DPO. It has also added an important motivation to encourage such compliance: fines of up to twenty million euros or 4% of the company's annual turnover, amounts capable of making even the Internet giants pale in comparison.