Strategic Design and Privacy

Experts warn of the loosening of data protection dispatches


The awareness in data protection is a pending task within the offices. This was expressed Javier Álvarez Hernando, delegate of data protection (DPO) of several bar associations, during the I National Congress of DPO organized by Wolters Kluwer on January 24 in Madrid. For the specialist, although the law firms have adapted the requirements provided for in the new regulations in this area, there is a widespread lack of concern.


“The DPO do not take us too seriously,” said Álvarez. In addition, risk awareness is minimal, as is the culture of privacy, although this reality is materialized more frequently in smaller law firms, which are around 90% in Spain.


To address this issue, the diplomatic function of the data protection delegate is especially relevant within the legal sector, since it must exercise “evangelizing work” and convince the firm of the importance of implementing these policies. In this sense, Alvarez highlighted the training work that is being carried out from the bar associations, which he labeled as “essential” to sensitize the group.


Know the sector


During the day, other characteristics of the DPO figure were addressed in other areas. At this point, Alvarez said that each company develops its activity in a different way by the particularities of regulatory frameworks. Therefore, in order to achieve a greater commitment to privacy, the DPO must know the sector of the company with which it works. “This is the most important thing even to know the European regulations,” said Álvarez.

On the other hand, policies on data protection should be framed within the organizational framework of the company “as part of strategic planning,” says Ricard Martínez, director of the Chair of Privacy and Digital Transformation of Microsoft-Universitat de Valencia. That is to say, shelling and explaining the steps of the plan to be followed by the company to ensure that the General Data Protection Regulations (RGPD) are being complied with.

In this line, Elena Gil, lawyer and researcher at the Institute of Right to Information at the University of Amsterdam, points out that in order to foster a corporate culture based on privacy, “it must start from the top”. In this way, it is achieved that the awareness permeate from the highest positions to the rest of the company and is established in the spirit of the same.

However, in order to achieve this, the DPO must always bear in mind that not all company personnel have extensive knowledge of data protection.

Therefore, the delegate must “adapt his language to the people with whom he communicates in order to reach all the members of the company”, underlines Gil. In this way, it also achieves a greater commitment to the culture of privacy.

Internal or external?


Independence is one of the most important aspects that a DPO must have. In this sense, the debate arises as to whether, in order to achieve the degree of independence required in its exercise, the expert must be internal or external. On the one hand, Cecilia Álvarez, president of the Spanish Association of Professionals of Privacy (APEP) and DPO in a private entity, said that what matters is the independence of the criteria and experience:

“I would not say that because you are an intern you are sold “, he said.


On the other hand, when having a data protection department is necessary, but it is not possible, many companies choose to hire the services of an external office to avoid overloading the responsible party. “Not being in the organization gives you that independence,” said Agustín Puente, partner at Broseta and former head of the AEPD’s legal office. At the same time, he warned of the danger of the famous “zero cost consultancies” that arose with the application of the RGPD.

However, the effort should not start from the side of the data protection professional. The company must also do its part, both in terms of financial and human resources, to facilitate the work of the DPO. And even more so when we live a time where the data are protagonists.