About the General Data Protection Regulation
According to Wikipedia's definition, the General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise —regardless of its location and the data subjects' citizenship or residence— that is processing the personal information of individuals inside the EEA.
2018: The Deadline for Implementing the GDPR
The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and applicable, but does provide flexibility for certain aspects of the regulation to be adjusted by individual member states.
2017 and 2018 were, therefore, a period in which I reviewed the navigation processes of different websites, as well as their forms, policy and terms and conditions and other client oriented materials suitable for data collection (surveys, draws...) in order to comply with the regulation enforced.
My Duties as a Data Protection Controller and Processor
As a controller and processor of personal data I must put in place appropriate technical and organizational measures to implement the data protection principles.
Within the different businesses I have worked since 2005 (Pearson, IE, Elesapiens, Diario Arganzuela, Moriah, Words & Metrics...), I have been responsible for providing safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate).
Also, my mission is designing processes with privacy in mind. For instance, guaranteeing that the datasets are not publicly available by default and that they cannot be used to identify a subject.
No personal data may be processed unless this processing is done under one of the six lawful bases specified by the regulation (consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent, the data subject has the right to revoke it at any time.
As a data controller I must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EEA.
As a freelance LSP and marketer, as well as a manager employed by different companies, I have had the obligation to protect data of employees and consumers and implement internal controls and regulations for various departments such as marketing and operations.
