During the period from the Regulation’s entry into force until 25 May 2018, controllers and processors should undertake at least the following actions:
In accordance with the Regulation, the controllers and processors of data processing operations which are expected to be maintained beyond 25 May 2018 must, prior to that date, create a record of the processing activities they carry out, in which they must also record those processing activities they initiate as from that date.
In those cases where consent is the legal basis for the processing they carry out, the controllers and, where applicable, the processors, must examine the manner in which consent is obtained. Cases in which consent is given through pre-ticked boxes or silence should be reviewed, among other actions. As from 25 May 2018, processing operations carried out previously and those initiated from that date must meet the requirements of the new Regulation.
The new requirements for the transparency of processing mean the content of clauses used until now to provide information to the persons concerned must be revised.
In the case of information collected prior to the entry into force of the GDPR, it is recommended that any mediums available be used to complete the information provided with the additional content established by the Regulation. For example, the appropriate information clauses could be published on the organisation’s website or the information provided could be completed in communications maintained with the persons concerned.
The APDCAT has been recommending organisations that have processing contracts established which will foreseeably be in effect beyond 25 May 2018 to adapt those contracts to the requirements of the new Regulation.
Notwithstanding the above, according to the second transitional provision of Royal Decree-Law 5/2018, of 27 July, on urgent measures for the adaptation of Spanish law to European regulations on data protection, the contracts and agreements for processing entered into prior to 25 May 2018 maintain their validity until their expiration date.
Indefinite contracts maintain their validity for four years, counting from 25 May 2018.
In any case, during the validity of the contract or agreement, any of the parties may ask for its modification to adapt it to that established in Article 28 of the GDPR.
When processing which is being carried out and is expected to continue beyond 25 May 2018 is likely to result in a high risk to the rights and freedoms of natural persons, the controller must conduct a data protection impact assessment of the persona data processing operations prior to that date and adopt such corrective measures as the assessment shows to be necessary. This assessment may be common for all similar processing operations.
In the case of processing operations initiated prior to the Regulation becoming applicable but expected to continue beyond the month of May 2018 and on which an impact assessment is to be carried out, it is advisable that the assessment be conducted no later than 25 May 2021.
Where a data protection impact assessment indicates that the processing is likely to result in a high risk that has not been mitigated, the Catalan Data Protection Authority should be consulted prior to the initiation of the processing activities.
Prior to 25 May 2018, the mechanisms employed to transfer personal data to third countries should be examined to ensure they comply with the new Regulation.
The personal data security aspect of the new Regulation requires a risk analysis for those processing activities that are expected to continue beyond 25 May 2018, in order to determine the security measures that must be implemented prior to that date in order to meet the requirements of the new law.
As from 25 May 2018, a protocol must be established to immediately notify any personal data breach to the data protection authority and, where applicable and required, to the data subjects concerned
Prior to 25 May 2018, public bodies and other organisations of which it may be required must designate a data protection officer who will form part of their staff or fulfil the corresponding tasks on the basis of a service contract. In the case of public authorities or bodies, a single data protection officer may be designated for several such authorities or bodies.
In order to effectively comply with the obligations deriving from the new Regulation, a training programme should be established for staff involved in personal data processing and, in particular, staff with responsibilities in this area attributed to them within the organisation.