The General Data Protection Regulation (GDPR) and Spanish data protection law are not just for large corporations. Any company that processes data of clients, employees or suppliers must comply. This guide sums up the essentials.
1. Record of processing activities
You must document what data you process, for what purpose, for how long and who you share it with. It is the starting point of any audit.
2. Legal bases
Every processing operation needs a legal basis: consent, a contract, a legal obligation or legitimate interest. Without one, the processing is unlawful.
3. Information and consent
Web forms, contracts and communications must clearly inform about data use. Consent must be freely given, specific and unambiguous.
70% of penalties against SMEs are due to basic failures: forms without information, no record of processing activities or missing processor contracts.
4. Information security
Encryption, backups, access control and password policies. Measures must be proportionate to the risk of the data processed.
5. Security breaches
In the event of a breach you have 72 hours to notify the Spanish Data Protection Agency. Having a protocol in place makes all the difference.
At Eritia Privacidad we carry out the full adaptation of your company so it meets all these obligations with complete guarantees.
