The file security levels set by the Organic Law of Protection of Personal Data of Spain establish different degrees that must be taken into account when handle information of natural persons.
For this reason, It is necessary that you know what those levels are and how you must comply with them, according to the LOPD. This information can be found in the following paragraphs of this post.
You will also be able to read an analysis related to the possibility of being sanctioned if you do not comply with current regulations. Pay attention and know all the legal aspects of cybersecurity.
What are the file security levels established by the LOPD?
The Organic Law on Protection of Personal Data, also known by its acronym LOPD, is a law of Spain that its new version was put into effect in 2018 and that regulates and protects the rights of people in terms of their privacy and social meaning. It is based on the Article 18 of the Spanish Constitution of ’78. In general terms, the Personal Data Protection Law sets out the precautions that agencies and entities that handle people’s information must have.
That is, it must be complete, be available when required by the owner of the data or any other organization established by law, get only the amount of data necessary to reach the goal and not save any longer than applicable once the task for which the data was needed is completed. In case of not complying with the elements mentioned in the previous paragraph a fine of up to 600 thousand Euros can be applied.
To avoid this inconvenience due to lack of attention or other external issues, every time you want to save, share or destroy the documents that contain personal data a certain system must be chosen in accordance with the security levels established by law. Which can be basic, medium or high. That is, the law organizes 3 levels of security to consider that it correctly complies with the safeguarding, delivery and destruction of the files that kept the data.
This it is regulated in accordance with article 103 and subsequent articles of the regulation. This article establishes what are the bases to determine the necessary criteria to decide the level of security to use. It is in this section of the law where you have to take into account what data is stored in the files. It is possible to find topics related to political ideologies, religion, sexual orientation and other types of beliefs held by individuals who submit their data to computer sites.
The three levels of data security What does each one consist of according to the LOPD?
As we mentioned before, the three levels of security that grants the LOPD are low, medium and high. Due to the importance of compliance with the regulations so as not to incur a fault, it is necessary analyze each of these levels that must be fulfilled by the entities that keep personal information of individuals.
Next, we develop each one:
Low
The agencies that protect information in files They must have a basic level of security when data is transferred between different entities authorized by law. Within these data is, for example, the address, the DNI or the telephone number.
In order to comply with the implementation of the measures it is necessary that all personnel, who works in the company that protects the information, knows the functions and obligations that exist on data protection. Further, it is necessary to keep a record or accounts up to dateThis will allow any type of incident that has occurred in a given period to be notified. Finally, a backup should be carried out once a week.
Medium
As in many laws, this level must meet the basic security requirements mentioned above, but also include additional rules from privacy protection.
If you want to comply with the law, it is necessary to carry out the following type of control:
- Have a check-in and check-out of all the files that are kept in one place. To this must be added the name of the person in charge who takes out and delivers the folders from the control site. There must also be a record of the person in charge of guarding the files.
- Keep notes with a detailed detail of the treatment of the files.
- Carry out surprise and planned audits. In this case, it is important to make the results known and explain what the recommendations are for the deviations found in that process.
To establish this level of security, documents related to the following activities must be included as data in the files:
- Criminal offenses and administrative.
- Economic solvency and assets of the individual.
- Tax administrations and any organization that exercises powers related to this matter.
- Social security services, including work accidents and occupational diseases.
- Professionals or anyone who performs and evaluates aspects related to personality of the inhabitants of the national territory.
High
High security levels are related to files that deal with topics on:
- Religion, racial origin, identity and sexual activity and union membership.
- Acts and deeds that are related to gender violence.
- Files that collect data and police investigations.
For this reason, in order to comply with the requirements established by law, it is necessary have the previous security levels and add other measures much more efficient for the guard.
Among these techniques are:
- Data encryption maintain a significant number of backups, which must be stored in different computers that are protected by video cameras and authorized personnel.
- Keep the record of entry of people to the data for 2 years. This information must be saved and backed up with a backup made once a month.
- Have a fire protection and control system, floods and any other type of natural catastrophe.
- In those data that cannot be backed up digitally, you must make one or more copies and keep them in a safe place by means of personnel who are trained to handle these files.
Can I be penalized if I do not comply with this regulation?
If the legal provisions established in the Organic Law on Protection of Personal Data the bodies that handle personal data may receive sentences from the civil and criminal sphere. Therefore, they must respond with the patrimony and with prison sentences. The sanctions will depend on the degree of non-compliance with the security level and its recurrence.
The amount of sanctions stipulated by law are classified as:
- Mild: from 900 to 40,000 €
- Serious: up to € 300,000
- Very serious: you can pay up to 600 thousand Euros.