According to the GDPR, the obligation to perform an audit in order to comply with it is not explicitly specified in any of the articles. It is simply established that the companies have to permanently comply and be constantly updated about it.
On the other hand, the Regulation of the Organic Law of Protection of Data that shall be approved by the Cortes Generales* at the end of the year in principle provides that the companies with a high number of workers and/or workplaces and/or that they treat cataloged data as “sensitive” to the law itself, they have to perform an audit process on a biannual and mandatory basis.
*Cortes Generales is the bicameral legislature in Spain. It consists of two chambers: the Congress of Deputies and the Senate.
What is considered as sensitive data to know if I have to do the biannual audits?
The sensitive data are those data that due to their special impact on privacy, public freedoms and the fundamental rights of the person, need a greater protection than the rest of the personal data. Currently, the category of data considered sensitive would be as follows:
- Political views
- Union membership
- Religious beliefs
- Philosophical beliefs
- Racial or ethnic origin
- Health data
- Sex life
- Genetic data
- Biometric data
- Sexual orientation
List of companies that due to the processing type require security measures of medium or high level and therefore require an audit.
Companies whose main activity coincides with any of the following:
- Digital marketing
- E-commerce
- Educational centers or academies
- Health centers (physiotherapy, opticians, dental clinics, health clinics, centers of any kind that imply maintaining a medical history or medical reports of patients).
- Psychologists
- Professional associations
For companies that have either more than 100 workers or more than one workplace, it is recommended that they do an audit.
Privacy Impact Assessment (PIA – Evaluations of impact)
According to the Spanish Agency for Data Protection (AEPD), the PIA is the “exercise of risk analysis that a given system of information, product or service may imply the fundamental right to protect data of those affected, in order to face the effective management of necessary measures to eliminate or mitigate them”.
When should it take place?
It is not always necessary to perform an Impact Assessment; however, it is advisable to analyze the possible risks of the company as mentioned above.
The new European regulation assesses that it is mandatory when one of the following characteristics occurs:
- High risk
- Systematic evaluation
- Processing of particularly protected data on a large scale
- Use of invasive technologies. These would be invasive technologies with privacy, for example:
- Video surveillance on a large scale
- Unmanned aircraft (drones)
- Electronic surveillance
- Data mining
- Biometrics
- Genetic techniques
- Geolocation
Which companies are required to perform a PIA? Some of the entities that have to perform an impact evaluation are:
- Pharmaceuticals
- Hospitals and clinics
- Private security, surveillance and control
- Energy providers
- Companies that perform e-commerce
- Schools
Pridatect, in addition to the adequacy software, offers the audit service to ensure full compliance with the regulation in a simple and efficient manner. Contact us for more information.
