Spain – The new GDPR and the challenges it presents are the focus of the 8th annual meeting of the Spanish Data Protection Agency
Published 29 June 2016
The 8th annual meeting of the Spanish Data Protection Agency ("SDPA"), that took place on the 29 June 2016, was opened by the Minister of Justice, who has described the GDPR as “the principal milestone in this area in recent years”. During meeting, the Director of the SDPA recommended that organisations take an approach of “progressive adaptation” in respect of the GDPR before it is of application in May 2018.
The recommendations of the Director of the SDPA for this progressive adaptation approach included a look at the concept of consent. The SDPA advised that organisations relying on so-called tacit consent for the processing of personal data start reviewing their data collection procedures, because from May 2018, data controllers will only be able to rely on unambiguous and explicit consent for the processing of personal data, irrespective of the moment when consent was obtained.
As of 2018, data processing which entails a potential risk for individual's data protection will be subject to a privacy impact assessment. As such, according to the SDPA recommendations, companies should start to design a system choosing an appropriate methodology to carry out privacy impact assessments, as well as identifying the work equipment and a number of conditions that cannot be improvised when the GDPR starts to be of application.
Another recommendation of the Director of the SDPA was with regard to the Data Protection Officers. The GDPR establishes that Data Protection Officers must be appointed on the basis of their professional qualifications, in particular their knowledge in the field of data protection, and their ability to carry out the relevant functions. However, the GDPR does not specifically lay down what these professional qualifications should be nor the way in which ability should be measured. The SDPA is assessing the possibility of using a system to certify its professional qualifications in accordance with established standards.
The SDPA is also worried about the relations between data controllers and data processors. The GDPR establishes higher standards for the written contracts that govern these relationships than the standards established under the Data Protection Directive. However, Spanish companies are more prepared for this change taking into account that Spanish data protection legislation already implements high standards regarding the obligations to be included in the data processing agreements between data controllers and data processors. In any event, Spanish companies should establish new updated wordings for data processing contracts – to be used in the new contracts and those already in place but which will continue after 2018, that may need to be amended - and the SDPA is preparing some guidelines for these agreements that will be published in the coming months.
Lastly, it should be added that the SDPA mentioned that it is already working on and designing some tools focused on compliance for SMEs, such as an online resource for low or very low risk data processing, which will be set out in an easy to understand way and will include a list of measures that SMEs have to implement on the basis of such a low or medium level of risk. Is expected that this resource will be supplemented with other more advanced guidance, addressed to SMEs that carry out data processing of higher risk - such as the management of sensitive data – and that will include a section on the security measures that should be implemented by the SMEs. The SDPA is also working alongside the regional data protection agencies in Spain. Thus, it is expected that the SDPA will provide a range of recommendations or criteria to help reflect the different issues that the GDPR requires over the coming years.
Organisations should take note of the SDPA's recommendations for organisations' preparations for the GDPR and as part of that keep track of the new guidance and tools issued by the SDPA.