In early September, 2017, the Spanish DPA (AEPD) presented the “Facilita RGPD” tool designed to help companies and professionals who carry out low risk processing of personal data comply with the new General Data Protection Regulation (GDPR), which will be enforceable on May 25, 2018.
According to the DPA, “The new tool consists of an online questionnaire whereby companies and professionals can verify that the data they process can be considered low risk and also allows them to obtain the minimum documents necessary to enable them to comply with the GDPR”.
On the day of the presentation of the tool, the DPA also signed a protocol of action with the major employer associations, CEOE and CEPYME, in order to promote the knowledge of the regulation among companies.
The DPA holds a Registry where companies (and public sector) must compulsorily register any data files they keep, which currently amounts to over 4.6 million private sector data files, out of which 75% are considered low risk processing and whose controllers are mostly SMEs.
The DPA stated that they will be offering the tool to the Group of European Data Protection Authorities so they can use it as a basis to offer this help service in their respective countries.
“Facilita RGPD” is designed as an online questionnaire that can be completed in 20 minutes through which companies and professionals can, first of all, verify through a series of questions that the data they process can be considered low risk and, secondly, obtain the essential documents to enable compliance with the GDPR at the end of the test.
The information that the companies provide -which the AEPD does not keep or monitor in any way- will allow them to obtain such documents almost completed. These templates include the basic requirements set by the GDPR, such as the records of processing activities, the information clause, the clauses that should be included if the company deals with a processor and an annex with the basic security measures.
The test is divided into four blocks. In the first block, the organization must select what is its sector of activity and the type of data it processes. Then, once it is found that the processing carried out involves, a priori, a low level of risk for the rights and freedoms of subjects, the tool will ask the data controller to provide certain information about the company (name, address, tax number or telephone, among others). In the third block, the application will request information about the processing the company performs (clients, employees, resumes of candidates, etc.). With the information provided, in the last phase, the basic necessary documents will be generated to enable compliance with the GDPR.
Since the GDPR will be directly applicable on May 25, 2018 and it has a totally different approach to the matter of data protection in Spain so far, AEPD aims at encouraging compliance as far as possible, especially among SMEs, which account for 99.8% of the Spanish overall businesses and for which adapting to the new legal framework may imply greater difficulty, in many cases due to lack of resources. With the launch of “Facilita RGPD”, the DPA wants to offer them a help tool so that they can know, in the simplest way possible, the implications and changes that the new norm means, so that they can take the necessary measures.
“Facilita RGPD” adds to other initiatives that the AEPD has launched to promote compliance with the new Regulation, among which we highlight the Certification Scheme for DPOs presented to offer safety and reliability both to the privacy professionals and to the companies and entities that will hire their services.
In addition, the AEPD is working on further materials to guide companies that cannot use “Facilita RGPD”- essentially, because they do not exclusively deal with low-risk data - to perform the risk analysis required by the GDPR.
In the past few months, the AEPD had presented other materials to help SMEs comply with the GDPR, namely, a “Guide for complying with the Duty to Inform”, a “Guide to the Regulation for Data Controllers” and “Guidelines for Drafting Contracts between Data Controllers and Processors”.
“Facilita RGPD” tool can be checked here.
Article provided by: Belén Arribas, Lawyer, Miliners Abogados y Asesores Tributarios