Don't go on Christmas holidays without making adequate provision of funds to cover the estimated cost of compliance with data protection regulations in 2020 and possible unpredictable additional costs due to new processing activities, eventual claims or security breaches.

In January, it may be too late and your Finance department may complain or upset you for lack of anticipation.

All businesses, without exception, including yours, are based on information management and, among others, on the processing of personal data, whether for purely internal purposes (e.g. personnel data) or for external too (e.g. customer data).

In order to demonstrate that you intend to comply with the regulations, the first thing to do is to define what resources you are going to allocate to this work.

If you are not the one dealing with these issues, but you are concerned about your company's compliance, forward this post to the person designated for this purpose or to your Data Protection Officer (DPO) and make sure they have enough time and the necessary human, technical and financial resources to ensure compliance with data protection.

It has been more than a year and a half since the General Data Protection Regulation (GDPR) came into force and almost a year since the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDPGDD) came into force.

As with all regulatory changes, the passage of time has the advantage that many concepts, subject to interpretation at the outset, have become clearer and, therefore, it is easier to make adequacy decisions. On the contrary, the novelty of the regulation ceases to be an excuse for delaying compliance.

The Spanish Data Protection Agency (AEPD) has launched numerous dissemination and training initiatives, has published reports and guidance guides, has resolved queries and provided management tools to raise awareness and give companies time to implement a data culture based, among others, on the principles of privacy by design and accountability (see as a visual summary of the balance of its strategic plan).

However, the AEPD has also begun to sanction for non-compliance with the new regulations (see the summary of sanctions of the AEPD which publishes and updates eldiariolaley).

How do you budget for the 2020 cost of compliance in terms of data protection?

It depends, what level of compliance are you at?

Depending on your compliance status, you will have to tackle more or less tasks proactively:

If you had to start from scratch, you would have to get informed about your data protection obligations and understand well what it means to carry out a project of tailored adapted to your business activity.

Then, to ensure compliance with applicable regulations, you would have to design your own adequacy project, with allocation of resources and specific tasks, and you would have to implement an action plan for its implementation, with a realistic timetable and assigning roles and responsibilities internally.

If, in addition, you want to ensure that compliance is maintained in the future, it is advisable to design a compliance and supervision plan, applying protocols to ensure privacy from design and by default, and accountability, such as, for example, the management of the corresponding evidence of compliance.

Additionally, depending on the business activity and processing activities you perform, you may need to keep a record of treatment activities or name a DPO (see mandatory designation scenarios). 

On the other hand, you should be prepared to reactively perform some tasks such as incorporating personal data protection as a factor to be taken into account in new business projects involving personal data processing, resolving queries or complaints from data subjects whose data you process, keeping updated to new legal requirements, if applicable, or addressing security breaches.

The casuistry and particularities of each case, by type of data, relationships, sectors, data flow, data subjects, data recipients, etc. is enormous and, if your intention is really to be compliant, trust an expert, with experience, who can estimate a budget appropriate to your specific case.

Don't be fooled by any offer. The market has been saturated with opportunists and the AEPD itself has warned of the existence of consultancies that provide services at "zero cost" or that limit themselves to "copy-paste" without making a detailed analysis of the situation of each business (see the AEPD relevant press release). In order to ensure that DPOs are properly qualified, the AEPD implemented a Scheme for the certification of individuals as DPOs.

In my case, I have specialized knowledge. I passed the DPO exam with AENOR in September 2018 and again in November 2019 with the Spanish Quality Association (AEC), so I can prove that I am DPO certified according to the AEPD Scheme. However, the most interesting thing for you, probably, is that I have practical experience and a close business approach having managed for 16 years the data protection issues as internal lawyer of a consumer company for Spain and Portugal and, later on, having had the opportunity to legally coordinate the GDPR compliance project in 26 European countries.

Visit www.lawingit.com to know me better and, if you like to re-consider your 2020 data protection budget line, feel free to contact me at info@lawingit.com

Translated with www.DeepL.com/Translator (free version)