How can I adapt my business to the LOPD?


In 2017, the “Draft Organic Law on the Protection of Personal Data” was approved, which aimed to adapt the legislation to the provisions of Regulation 2016/679 of the European Parliament and of the Council.

According to it, companies must comply with the LOPD. The problem is that the vast majority of entities have not yet adapted to the new standard, and this may lead to significant penalties from the Administration that could call into question the viability of the company.

There are companies that offer their services to adapt the business to the LOPD: it is an investment that is really worth it. A good example is this data protection website for companies. It is a sure way to know that we have not left anything that goes against the regulations.

In addition, we have prepared some indications for adapt your business to the LOPD.

How to adapt your company to the new General Data Protection Regulation?

From the "Spanish Agency for Data Protection" they have prepared a tool that will facilitate adaptation by entities and professionals. This company is called GDPR EASY And it can be downloaded without any cost.

However, it is only intended for those entities that operate with personal data low risk. In addition, we must bear in mind that the tool is only intended to help: it does not mean that by using it we will already comply with the provisions of the GDPR.

What can we do if our company operates with high risk data?

In the event that in your company they are treated with data derived from the use of profiles, in which genetic, biometric, racial or ethnic origin data, including geolocation, are relieved, we can forget about using GDPR FACILITE, and it is that then we will be operating with high risk data.

If this happens, we will have to get in touch with a professional company that will help us shape the roadmap to know how to comply with the standard. For this, we may need it.

  • Create the Treatment activity log.
  • We may also need to make a risk analysis and, based on it, review the relevant security measures.
  • Manage protocols security bankruptcy notification before the entities that stipulate it.
  • It may be necessary to do what is known as a impact assessment on data protection. We can find more information about this requirement if we refer to Article 35 of the GDPR.
  • If there are some circumstances in the company, we will have to designate a data protection delegate.
  • In addition to all of the above, in the case that we have a web page, we will have to indicate the privacy policies, properly configure the cookies, and establish a list of terms and conditions of use.

To avoid making any mistake in any of these points, our recommendation is to hire a company specialized in this type of work.