A year of GDPR in Spain

A few months after the entry into force of the GDPR, the new Spanish Data Protection Act (hereinafter "LOPDGDD") was approved, which incorporated a list of digital rights. The Act also contained a final provision enabling the collection of personal data relating to the political opinions of data subjects for the purpose of sending electoral propaganda. The Constitutional Court has granted the appeal of unconstitutionality presented by the Ombudsman, who declares null and void the article incorporated in the Spanish Electoral Law by the final provision of the LOPDGDD. 

The Agency has published multiple guides and tools to help comply with the new regulations. In addition, it finally published on May 6, 2019 the list of processing operations of personal data subject to the requirement for a data protection Impact Assessment and the publication of the list of treatments that do not require is pending. 

In its Annual Report, the Spanish Authority gives us figures: 14,146 complaints registered from January to May, 34,193 Data Protection Officers, a total of 547 notifications of personal data breaches from the entry into force of the GDPR until the end of 2018.

With regard to penalties, the Agency's position so far has focused on raising awareness and making tools and guidelines available to data controllers and data processors in order to facilitate adaptation. For now, since the application of the GDPR and LOPDGDD, no fine has been imposed but multiple penalties in the form of reprimands. 

There are many questions in relation to the figure of the DPO. Numerous discussions between experts throughout the year have highlighted the need to draw up a legal statute to regulate this new profession. We will see the evolution of this new figure, its legal position and within organisations, the limits of its responsibility and the professional skills that companies are really going to demand of it. So far, we are aware that a DPO has to "know the laws", know about risks, systems and technology and will have to have a series of skills to gain a voice among the senior management positions.

Carlos Alberto Sáiz correctly stated in the round table that took place in the Digital Enterprise Show last May 21, that: "The race started in 2016 and not the goal (...) we are in the prehistory of the new paradigm of privacy". There is still a long way to go both for data protection experts and for large, medium and small enterprises. Adaptation to the new regulations implies raising awareness, starting with the youngest, of the importance of privacy and training in this area. In addition, the dynamism of business activities is also reflected in Data Protection, which requires companies to regularly check and verify the effectiveness of the measures they have implemented.  

Companies that invest in protecting the personal data they process will gain a competitive advantage and a reputational bonus. The breach can be more expensive than the adaptation.