A year has already passed since EU Regulation 2016/679 by the European Parliament and the European Council, dated 27 April 2016, came into force, regarding the protection of individuals in terms of processing personal data and the free circulation of this data, better known by everyone as the GDPR.

The weeks previous to 25th May 2018 are well in the past, when we all received the barrage of emails from unknown companies that had our data, asking for our consent to be able to process it. Despite this denoting a lack of intepretation of the legitimating causes for the data processing provided in the GDPR, it is also true that it helped to clear up and highlight the change in the paradigm concerning what was to be understood by consent in this new regulation.

We went from having tacit consent, which was valid up until the date, to the demand for consent to be granted via a clearly affirmative act that would reflect a manifestation of free, specific, infomed and unambiguous will from the interested party to accept the data of a personal nature about them to be processed.

In June 2018, the Spanish Data Protection Agency (AEPD), the Spanish supervisory authority with skills relating to data protection, publishes their Data Protection Delegates certification scheme.


What is or who is the Data Protection Delegate?

The concept of DPD is not new. Although the Directive 95/46/EC did not require any company to appoint a DPD, in practice this appointment did take place however, in several Member States over the years, but it was not the case in Spain. That is why, in Spain it has turned out to be one of the most important updates that the GDPR has introduced and it is one which has had a more comprehensive implementation by the new national legislation (LOPD-GDD), which we will make reference to later on.

In short, the DPD is tasked with supervising the compliance with of the current law regarding data protection within companies, and they act as a point of contact regarding data protection within the company, working with the interested parties and the Spanish Agency for Data Protection itself.

Moving forward with the evolution during this first year with the GDPR, during the last quarter of 2018, important security issues came to light which affected millions of users as they saw their personal data exposed, as was the case with Facebook and Cambridge Analytics, the Google + data exposure, the breach in security in the Marriot International hotel chain, British Airways, Quora, etc.

Since the GDPR came into force, the appropriate Control Authority must be informed about these breaches, as must the users whose data has been affected, provided that it has been detrimental to their fundamental rights and liberties.

In order to obtain a view of the evolution of this new obligation provided for by the GDPR, we can take the last monthly report (April 2019) about the notifications of security breaches, published by the Spanish Data Protection Agency (AEPD) as a reference. Here, it can be seen how there has been a total of 95 notifications of security breaches, of which around 20% were made in Public Organisations. It should also be highlighted that the most common methods used to perform these security breaches during this period were hacking, the loss/theft of devices and Malware incidents.

We must not forget in this short summary about the GDPR about identifying the appropriation of Spanish legislation regarding data protection to the requirements and updates introduced by the European Regulation. In this way, on 6th December 2018, the new Organic Law on Personal Data Protection and the guarantee of digitial rights (LOPD-GDD) came into force, which is the law that currently lives alongside the GDPR.

A lot was said in the beginning about the extortionate sanctions that the GDPR anticipated, from 10 million to 20 million euros or from 2% to 4% of the global annual total business volume of the previous fiscal year. It wasn’t until January 2019 when the CNIL, the French control authority concerning data protection, imposed a 50 million euro fine on GOOGLE for infractions linked to the duty to inform and obtain consent from its users.

Analysis of first year of the GDPR

The global analysis of this first year of the GDPR is clearly positive but with some subtleties; a high percentage of the Spanish business network has still not adapted to the current legislation regarding data protection, and this is a shortcoming that must be resolved over the next few years, with the aim of offering greater trust in interested parties and third companies.

Despite the future being uncertain, it is clear that there is greater awareness in the companies that deal with data of a personal nature, as is the case with the interested parties, who are more and more aware and more sensitive to the importance of deciding about their own data. In the next few years we hope to see the implementation of codes of conduct of compliance standards regarding the GDPR, as well as a further development of the national legislation (LOPD-GDD), with the aim of shedding more light and simplying all the points that both the GDPR and the LOPD-GDD have been unable to work out and execute, from a practical point of view.

With the arrival of new technologies which promise endless advantages and possibilities, there are also new vulnerabilities in terms of privacy and security which nobody is immune from. That is why we must keep fighting to protect our data, as a great intangible asset, which is fundamental for all companies in this digital era of ours.

We celebrate this first anniversary of the GDPR, not as a challenge that has been accomplished, but as a starting point on a long journey towards information security, privacy and data protection.