On May 25, the
new General Data Protection Regulation,
better known by the acronym GDPR, whose main objective is to establish within the European framework legal guarantees for the protection of the personal information of consumers,both that handled by public and private bodies.

The truth is that, today, there are already different regulations and bodies that deal with protecting our personal information.

However, the development of the Internet and the popularization of certain web portals and social tools have caused the volume and importance of personal data to reach dimensions never seen before.

Thus, the General Data Protection Regulation recognizes rights already protected by national regulations,such as the
and these are, for example: rectification, cancellation, opposition and access to personal information.

The new law adds a couple of new rights,such as data portability and the right to be forgotten.

The latter was already established by the Court of Justice of the European Union in 2014, when it declared that a person, as a user of search engines, had the right to request that their personal data not appear in Internet search results. The novelty is that it is now included in a global regulation and at Community level.

The GDPR also establishes limitson the processing of information that is used for statistical purposes in historical, scientific research or any file that may have public interest.

The General Data Protection Regulation 2018 under review

This regulation repeals European Directive 95/46/EC, which entered into force relatively recently, in May 2016.

The European Parliament carried out a regulatory reform in April of that year, with application for all member countries of the European Union with the aim of adapting the protection of personal data to the new digital reality.

Europe has given 2 years for companies and public bodies to adapt their structures and operation to comply with the law.

However, the truth is that it is a relatively ambiguous text, with areas too wide to give rise to multiple interpretations.

In addition, the challenge is added that, although it has many similarities with the current standard, it presents new challenges and obligations for business.

For example, those organizations that are engaged in digital advertising will need, for the first time, to strictly comply with data protection.

If at the time we already inform of the sanctions for non-compliance with the LOPD, with the arrival of the GDPR (GDPR) the fines rise by not acting in accordance with the regulations, even rising to EUR 20 million or 4% of a company’s annual global turnover.

How to adapt my company to the GDPR

For all the above, it is important that if you have a company, regardless of the size -since SMEs and the self-employed are included-, you become aware as soon as possible of this new law and adopt (if you have not already done so) the following measures:

Find a Data Protection Officer (DPO)

The Data Protection Delegate or DPO, is a figure that was born with the application of the new General Data Protection Regulation.

Although not all companies are obliged to have it, those that carry out activities that affect on a large scale or process personal data, suchas political or religious opinions, as well as those related to ethnicity or health, must count on it.

Public bodies will be required to have a DPO if they process data relating to criminal offences or other types of convictions.

The Data Protection Officer they appoint will have to be notified to a supervisory authority, which will be detailed the specific functions they will carry out.

Internal Register of Processing Activities

This is one of the new obligations imposed by the RGPD (GDPR) and entails the cancellation of registering the files with the Control Authorities, as was done until now.

However, some companies have to keep an Internal Register of Processing Activities.

Specifically, those that meet the following requirements:

  • Have more than 250 employees.
  • That they perform treatments occasionally.
  • Such processing could put people’s freedoms and rights at risk.
  • Develop the management of sensitive data processing such as: ethnicity, religion,… etc.


In short, the main objective of the
General Data Protection Regulation
is to establish a single set of rules for the whole of Europe so that, according to those responsible, the functioning of organizations throughout the European Union is facilitated and reduced.

On the other hand, companies from outside the European Union that are subject to the jurisdiction of these regulators will only have to deal with a single interlocutor, which will cause savings of about 2,300 million euros per year.