The General Data Protection Regulation will be directly applicable in all Member States on 25 May. It will regulate the processing of personal data carried oit in the EU or with data of EU citizens, with sanctions that can reach 20 million euros or 4% of annual turnover. A rule that gives new rights to users over the control of their data and requires a proactive responsanility of companies in the processing of data.

Are we prepared for the inminent implementation of the RGPD? New challenges in the face of Europan data protection regulations, organised by Andersen Tax & Legal and the Foundations for Stock Market and Financial Studies (FEBF), with the participation of Ignacio Aparicio, Partner of Andersen Tax & Legal, Rafael Ripoll, Of Counsel of the firm, Isabel Martinez Moriel, head of the Privacy, IT & Digital Business area of the firm, María García Zarzalejos, lawyer in the same area, and Isabel Giménez, General Director of the FEBF.

During his speech, Ignacio Aparicio stressed the proactive responsibility that the Regulation requires of companies as data controllers, which means that companies "must take the necessary measures to comply with the Regulation and be in a position to demonstrate that they are being applied". At this point, he has argued that the design of the measures must be appropriate to the volume of data that is managed, their sensitivity and the treatment that is made of it.

"From the configuration and development of a technology, privacy must be established by design, while in the case of privacy policies for data collection, privacy must be carried out by default so that it is the user who decides on which data can be treated by the data controller," said Aparicio, who has listed certain recommended measures to comply with privacy, such as pseudominization, which involves "anonymizing personal data after the legal storage period, so that they cannot be linked to a person but can be used for a different purpose for which they were collected, such as for analytical or statistical purposes".

For her part, Isabel Martínez Moriel has underlined that the European Data Protection Regulation reinforces the user's right to their data and collects "express and updated consent for the use of their data, by means of free, unequivocal and precise action and with sufficient information on the treatment that will be made of the data". Thus, she explained that it is necessary "to carry out an evaluation of the personal data processed by the company in order to apply measures adapted to those who have been active or about whom there is a legitimate interest based on a contractual relationship".

Likewise, the person in charge of Privacy, IT & Digital Business of Andersen Tax & Legal has made reference to the new rights of the users that the RGPD includes, such as portability, limitation of treatment, not to be the object of automated decisions and, above all, the right to be forgotten

As explained, the new privacy model is based on risk management, depending on whether the risk is high or standard, which is addressed through the design of specific measures to ensure that the processing of data is safe depending on its volume and processing. In this sense, he has pointed out that "despite the fact that in many cases very private data are not processed, the large-scale use of personal data may lead us to have to carry out an impact assessment".

Finally, María García Zarzalejos addressed the figure of the Data Protection Delegate (DPO), obliged for authorities and public bodies, entities that systematically process data on a large scale and, finally, for companies that process sensitive data (on health, trade union or political affiliation, etc.) or on criminal offences.  In his speech he indicated that he must be a person who is