GDPR for companies: compliance guide.

The General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD) are not a bureaucratic formality: they are the rule that protects the fundamental right to privacy, and breach can cost your company up to €20 million or 4% of its global turnover. The AEPD (Spanish Data Protection Agency) has demonstrated its sanctioning capacity, having imposed multi-million-euro fines on companies of all sizes, from large corporations to SMEs and the self-employed.

The seven GDPR principles

GDPR is built on seven principles that must guide any processing of personal data. Lawfulness, fairness and transparency requires data to be processed lawfully, with a valid legal basis, and with full transparency to the data subject. Purpose limitation establishes that data may only be collected for specified, explicit and legitimate purposes. Data minimisation requires that only strictly necessary data is collected. Accuracy requires data to be up to date and correct. Storage limitation establishes that data is not kept longer than necessary. Integrity and confidentiality requires adequate security measures. And accountability obliges the company to demonstrate compliance with all of the above at any time.

Legal bases: why can you process data?

You cannot process personal data for no reason. You need a valid legal basis from the six recognised by GDPR. The data subject's consent must be free, specific, informed and unambiguous (and revocable at any time). Performance of a contract justifies processing data needed to fulfil a contract with the data subject. Compliance with a legal obligation, such as tax or labour obligations. Protection of vital interests, limited to emergency situations. Public interest or exercise of public powers. And legitimate interest, which requires a balance between the company's interest and the data subject's rights.

The correct legal basis must be determined before processing begins and documented in the Record of Processing Activities.

The Record of Processing Activities (RoPA)

The RoPA is the central document of your GDPR compliance. For each data-processing activity you carry out, it must include the name and contact details of the controller (and DPO if applicable), the purpose of the processing, the legal basis, the categories of data subjects and personal data, the recipients of the data (including processors and international transfers), retention periods, and a general description of the security measures.

The RoPA is not a static document: it must be updated every time a new processing activity is started, the purpose of an existing one changes or any of its elements is modified.

Data subject rights: practical obligations

GDPR recognises eight rights that your company must be able to handle within a maximum of one month. The right of access lets the data subject obtain a copy of their data and information on how it is processed. The right of rectification lets them correct inaccurate data. The right to erasure (right to be forgotten) lets them request deletion. The right to restriction lets them limit processing in certain circumstances. The right to portability lets them receive their data in structured format and transfer it to another controller. The right to object lets them oppose processing. The right not to be subject to automated decisions protects against decisions based solely on automated processing. And the right to withdraw consent can be exercised at any time.

Your company must have documented procedures to handle each of these rights, an accessible communication channel (email address, web form, postal address) and a log of received and handled requests.

Security breaches: notification obligation

When a security breach affects personal data (unauthorised access, loss, destruction or alteration), you must assess the risk to data subjects' rights and freedoms and act accordingly.

If there is risk, you must notify the AEPD within a maximum of 72 hours from becoming aware of the breach. If the risk is high, you must additionally communicate the breach to the affected data subjects without undue delay.

The notification to the AEPD must include the nature of the breach, the categories and approximate number of affected data subjects, the contact details of the DPO or point of contact, the likely consequences of the breach and the measures taken to mitigate its effects.

The AEPD has developed the Comunica-Brecha tool to facilitate the assessment and notification of security breaches. Do not wait until you suffer a breach to familiarise yourself with it.

AEPD sanctions: real examples

GDPR sanctions split into two tiers. Lower-tier infringements can be sanctioned with up to €10 million or 2% of global turnover. Higher-tier infringements reach €20 million or 4% of global turnover.

In Spanish practice, the AEPD has imposed significant sanctions on companies of all sizes. Sanctions to SMEs typically range between €1,000 and €60,000 for infringements such as sending commercial communications without consent, lacking information clauses, missing controller-processor contracts or late or incorrect handling of rights.

Technical and organisational security measures

Article 32 of GDPR requires security measures proportional to risk. It does not establish a closed list: each company must evaluate which measures are appropriate considering the state of the art, cost of implementation, the nature and scope of processing, and risks to data subjects' rights.

The most common measures include role-based access control with multi-factor authentication, encryption of data in transit and at rest, periodic backups with restore verification, staff training in data protection, incident management procedures, clean-desk and screen-lock policy, and access logs for personal data.

ISO 27001 certification is the strongest evidence that your company applies adequate security measures, and is accepted by the AEPD as a demonstration of accountability.

GDPR compliance checklist for SMEs

Verify that you have the Record of Processing Activities complete and up to date, information clauses at every data-collection point (web, forms, contracts), contracts with all data processors, documented procedures to handle data-subject rights, the privacy policy up to date on your website, consent management for commercial communications, processing risk analysis, security measures implemented and documented, the breach-notification procedure, and the appointment of the DPO if mandatory.

Frequently asked questions

What is GDPR for companies?

GDPR (EU Regulation 2016/679) and Organic Law 3/2018 (LOPDGDD) are the rules that protect the fundamental right to privacy. They oblige every Spanish company processing personal data and every company offering goods or services to people in the EU.

Who does it apply to?

It applies to companies and organisations subject to the regulation, depending on sector, size or type of data processed.

What are the sanctions?

Sanctions can reach €20 million or 4% of annual global turnover, depending on the type and severity of the breach.

How much does it cost to implement?

For an SME, typical costs range from €3,000 to €15,000 depending on scope, including external consultancy, tools and training.

Need to bring your company's GDPR compliance up to date? Let's talk for a data-protection audit that identifies your compliance gaps and provides a prioritised action plan.