The Spanish data protection watchdog (AEPD) has launched a first call for companies to start adapting to the new General Data Protection Regulation (GDPR), which will take effect from 25 May 2018. GDPR represents a major change in the management and culture of personal data protection. The AEPD outlines the following key areas to prepare for implementation:
1. Consent. The GDPR sets out that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data. This excludes the so-called tacit consent, permitted by current Spanish data protection regulations.In the AEPD’s view, consent obtained prior to the GDPR’s entry into force will be only lawful provided that informed consent complies with the new GDPR rules when these take effect in 2018. Thus, the AEPD recommends that entities that until now have used the tacit consent as a ground for the processing of personal data begin to review obtained consents to adapt them to the new rules.
2. Information. The principles of fair and transparent processing impose information duties which are not required by Spanish law at the moment. In the AEPD’s opinion, during the interim period until May 2018, companies shall adapt their information schemes in two ways:
- providing the additional information through their websites or by any other regular communication channels they use with their clients; and
- adapting their current data protection policies to GDPR’s new information requirements. In this regard, there are some details of the information requirements that could depend on the adoption of further decisions (for instance, information related to Data Protection Officers). However, the AEPD notes that, with certain exceptions, new information requirements can be anticipated already.
3. Impact assessments. In order to enhance compliance with the GDPR, where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, and severity of that risk.
In the AEPD’s statement, the Agency advises that impact assessments require preparation, the choice of appropriate methods, appointment of working teams and meeting a number of other conditions – which should not be underestimated or improvised. Thus, the AEPD advises that impact assessment mechanisms should be incorporated into companies’ practices as soon as possible.
4. Certification mechanisms. The GDPR pays particular attention to the implementation of certification mechanisms, which may be issued by:
- supervisory authorities or the European Data Protection Board; or
- certification bodies accredited by (i) the relevant supervisory authority or (ii) a national accreditation body according to European law.
The AEPD’s preference is for certification bodies. Indeed, the AEPD appoints the Spanish National Accreditation Entity (ENAC) as responsible for carrying out the accreditation of certification bodies, together with AEPD’s participation.
5. Data Protection Officers (DPOs). DPOs shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the GDPR. However, the GDPR does not provide an in-depth analysis of such specific qualifications.
In this regard, the AEPD has decided that it would not be appropriate to establish a specific certification system as a compulsory precondition for access to the profession of DPO.
These credentials may be considered as an added value tool for organisations appointing DPOs. Thus, in order to make the certification offer as rigorous as possible for the benefit of companies, it is necessary that such certificates meet a series of quality standards. For that purpose, the AEPD is planning to implement certification systems in collaboration with the ENAC.
However, the AEPD underlines that such certifications should not be a barrier for those professionals who, without having obtained a relevant certificate, have significant experience in the field of data protection. The decision as to who to appoint as DPO, when appropriate, has to be left up to the affected organisations.
6. Data controller – data processor agreements. As regards data processing agreements between controller and processor, the GDPR sets out a number of new requirements, going further than the current obligations under Spanish law. The AEPD recommends carrying out two parallel actions for the interim period:
a. reviewing existing agreements with data processors so that in May 2018 these are compatible with the provisions of the GDPR; and
b. to include into any new data processing agreements every element considered mandatory under the GDPR.
The AEPD has announced that is working on the preparation of a set of specific recommendations concerning data processing contractual clauses.
7. SMEs and data protection tools. The AEPD has confirmed that is working on the preparation of tools aimed at helping data controllers and processors to comply with the new GDPR, among others:
a. an online resource for SMEs intended to define whether there is a low or very low risk on the processing of data and, if that is the case, providing with a list of the measures to be implemented on the basis of such a low level of risk;
b. an online advanced resource aimed at serving SMEs that carry out high-risk data processing (sensitive data) to implement all specific security measures derived from GDPR;
c. drafting informative clauses adapted to the new GDPR for particular industry sectors.
*This article was co-drafted by Associate Marcos García-Gasco and Trainee Angelica Martellato.