The European Union’s General Data Protection Regulation (GDPR) comes into force today. This new law places greater responsibility on companies to safeguard their customers’ personal data and introduces stricter penalties for non-compliance, including fines of up to €20 million or 4% of a company’s global turnover.

Various experts brought together today by ESADE Law School’s Conflict Management Research Group and ARAG, an insurance company specialised in legal defence, agreed that the legislative model has evolved and that the previous system, based on formal rules, is giving way to a flexible system in which each company has greater freedom to decide how it will organise itself, but always under the principle of “active responsibility”. According to the invited experts, it will no longer be necessary to keep records of files or to classify data by security level. However, these specialists did urge companies to “take the necessary measures” to safeguard data according to sensitivity (risk analysis, record of processing activities, data protection by design, etc.).

Avoiding penalties

According to data on Spain’s business and technology sector, the GDPR will affect more than 40% of Spanish small and medium-sized enterprises. Non-compliance with the GDPR could lead to fines of up to €20 million or 4% of a company’s global turnover (whichever is higher). The experts agreed that any company already in compliance with Spain’s existing Organic Law on Data Protection should have little difficulty adapting to the GDPR. However, they noted that GDPR implementation could be more complex for some companies, particularly sellers of consumer goods.

Data protection officer

One of the main changes introduced by the GDPR is that many companies will now be required to appoint a data protection officer (DPO). The DPO will supervise the application of appropriate technical and organisational measures that will guarantee GDPR compliance and will also act as a liaison with the authorities and with data subjects. The lawyer M. Belén Pose, Director of the Corporate Legal Consultancy Division at ARAG, urged companies to appoint a DPO who has “the necessary legal knowledge to work with the Spanish data protection authority as well as skills in new technologies”. Ms. Pose added: “The GDPR also requires companies to keep records of activities involving data processing and to carry out impact assessments in cases that may put the rights and freedoms of natural persons at risk.”

Right to data portability

The experts also discussed how the new right to data portability should be implemented so as to avoid penalties. Robert Madge, CEO of Xifrat Daten AG (Switzerland), commented that the right of the individual to request portability – the transfer of personal data to a different company – goes beyond data protection. According to Mr. Madge, this new right will foster competition among firms. “Companies that try to save their users’ data as their own property must take note. For new entrants, this will be a tool for accelerating their business and offering specialised services,” he commented. According to Mr. Madge, the GDPR introduces a change in concept: “Individuals will have the power to make decisions about their data.”

Finally, Pablo Díaz Ortiz, Data Protection Officer at CaixaBank, described his employer’s experience with the implementation of an impact-assessment methodology. He highlighted the major challenge involved in shifting from the classic approach to evaluating data protection issues, which focused on legal analysis, to a methodology based on global risk analysis, which takes into account technical and procedural factors as well as legal issues. He also described the experience and challenges of implementing this methodology at the group level.