In this context, Pérez-Llorca opened the IAPP Madrid chapter by bringing together some of the most prominent professionals in the field in order to address the challenges awaiting companies from the 25th of this month.
The sessions were moderated by the Co-Chairs of the IAPP Madrid Chapter, Henry Velásquez, Compliance Manager & International Privacy Officer at Cigna, and Natalia Martos, Counsel at Pérez-Llorca. Both of them raised a number of relevant issues with the speakers in order to gain a better knowledge of the future implications of the GDPR.
Flora Egea, Data Privacy Officer at BBVA, who was the first to speak, highlighted the main challenges Data Protection Officers (DPOs) are facing and will face in the future. These challenges include knowing the company’s organisation and culture, as well as the technologies and security measures that it works with and how to define the duties and the position of the DPO within the corporate structure. Egea also explained that, in light of the difficulties that companies are encountering when implementing the measures required by the GDPR, the date of 25 May, when the application of the GDPR will become compulsory, will be a starting point for companies as opposed to a deadline. As a result, DPOs will have their work cut out for them in improving and monitoring the implementation of the GDPR and moving companies towards full compliance.
Sergio Maldonado, CEO and co-founder of PrivacyCloud, provided a more technical and product-focused perspective, and discussed the complexities of the digital reality in which the GDPR is being implemented. Maldonado focused on the risky practice of data collection by applications and online platforms through “layered consent”, and emphasised the need to develop technologies to change the status quo of the current privacy policy and implement a system of privacy by design. Maldonado suggested carrying this out by means of a model which prioritises self-management of personal data, whereby the interested party would have control and be aware of what they are releasing, to whom and under what conditions, while ensuring the effective exercise of their rights. This would benefit everyone as it would help facilitate regulatory compliance while companies would be able to obtain much more accurate and reliable information about the potential client.
Lastly, Rafael García, Chief Advisor of the International Department of the Spanish Data Protection Agency (Agencia Española de Protección de Datos, “AEPD”), discussed the need to harmonise the criteria of the various European data protection agencies, the possibility of resorting to alternative dispute resolution –as established in the draft organic law– and highlighted the need to internally restructure the AEPD to ensure its full adaptation to the GDPR. He reflected on the need to prevent DPOs from having to shoulder all the responsibility for data protection and advocated educating all the areas of a company in order to distribute and coordinate compliance with data protection.
After hearing from the speakers, attendees participated in a debate which addressed current topics such as blockchains and smart contracts, which for now have remained outside the scope of the GDPR and will undoubtedly create significant challenges in the near future. Other issues were also discussed, including the trend of increased public interest in, and knowledge of, the processing of their personal data, transparency and the international application of the GDPR in third states.