You might already have a privacy policy published on your website and that’s a great start. But if you think that alone means you’re GDPR-compliant… I hate to break it to you, but you’re only scratching the surface.
The General Data Protection Regulation (GDPR) isn’t just a box to tick and forget. It’s a mindset; a way of handling personal data that demands consistency, responsibility and, consequently, a certain investment of time and effort. And let’s not forget, failing to comply can come with serious fines.
If you run a business or operate as a freelancer in Spain, and you also process personal data (spoiler alert: you almost certainly do), this article is for you. We’ll explain why GDPR compliance is about so much more than just legal texts, and what key areas you may need to review.
Written by Abigail Sked
Paralegal
1. It’s not just about “what”, but “how”
Your privacy policy is the outward, public expression of how you process personal data, which means:
- The privacy policy does not (and should not, for security reasons), outline, in detail, all of the measures you take to protect personal data, and
- If you do not put the privacy policy into practice, it loses all meaning.
In terms of internal protocols, you need to consider questions such as: How do you actually handle personal data inside your business? How do you collect it? Who has access? How long do you keep it?
The GDPR requires full traceability throughout the entire data lifecycle; from the moment data enters your company to when it’s deleted or anonymised. This includes:
- Clear and verifiable consent.
- A record of all data processing activities.
- Data protection impact assessments, where relevant.
- Procedures to handle data subject rights (access, rectification, erasure, etc.).
If all that’s not in place, your compliance is incomplete, and that’s risky business.
Can biometrics be used for clocking in?
2. Have you reviewed your contracts with third parties?
One classic oversight is regarding third-party relationships. If you work with service providers who process data on your behalf (think accountants, email marketing platforms, or cloud software providers), you need data processing agreements in place.
And not just any template pulled from Google. These agreements must clearly define responsibilities and ensure that your providers are also GDPR-compliant.
3. Your team plays a role too
While completing a formal GDPR course isn’t obligatory, training your team is practically essential if you want to be compliant.
The GDPR calls for “accountability” from data controllers like yourself, and training is a key tool to reinforce security. If your team isn’t aware of the risks involved in data processing, mistakes are far more likely to happen.
Basic knowledge helps them understand how to act, what personal data to protect and how to do so. As such, compliance stops being the exclusive task of the data controller (you) and becomes a shared and ongoing practice within your company.
4. What if there’s a data breach? Do you know what to do?
Losing data or allowing unauthorised access to personal data can seriously impact the people affected. If it’s likely that a breach poses a risk to individuals’ rights and freedoms, you must notify the Spanish Data Protection Agency (AEPD) within 72 hours.
But there’s more: all breaches must be documented, even if they don’t need to be reported. This is crucial for proving your due diligence in the event of an audit or complaint.
You also need a clear protocol: detection, containment, assessment and communication. A data breach can hurt your reputation, erode trust and lead to substantial fines.
Lessons from 23andMe: How to Protect Your Business from Personal Data Breaches
5. Privacy by design (and by default)
Another essential GDPR principle that often gets ignored. Every new project, system or service you roll out should be created with privacy in mind from day one.
That means minimising data collection, restricting access and applying technical and organisational measures from the outset. And, above all, you must ensure individuals are clearly informed about how and why their data is being processed. Transparency isn’t just good practice, it’s a legal requirement.
So… what now?
If you’ve reached this point and realised your attempt at GDPR compliance is limited to your privacy policy, the sooner you take action, the better.
At CONESA LEGAL, we offer a comprehensive data protection review for your business. We don’t just look at your documents; we analyse your real-world practices, processes and risks. And we do it clearly, practically and with advice tailored to your business. We speak your language and keep things jargon-free.
We’re based in Barcelona, but we work with companies all over Spain.
Want to take GDPR seriously and stop worrying about fines and unexpected complaints? Get in touch. We’re here to help.
Data Protection: Compliance Services for Companies in Spain
