search Where Thought Leaders go for Growth

GDPR: triggering the union between data protection lawyers and data protection software

GDPR: triggering the union between data protection lawyers and data protection software

By Francesc Alcaraz Gallego

Published: 3 May 2025

The future of legal advice is undergoing its first important test with the arrival of the new Regulation on the protection of personal data.

The arrival of the complex regulation has led to the emergence of a series of software or IT tools which, on the one hand, facilitate the correct handling of the obligations established by the new Law but which also, on the other hand, aim to replace the actual legal work of advising on regulatory compliance.

What will be the scope of this advice? Who will be ultimately responsible? Will both service providers work together? Will it extend to other areas of law?

What does the GDPR entail?

On 25 May 2016, EU Regulation 679/2016 on Personal Data Protection came into force and it is here to stay. It will not therefore involve a mere regulatory adaptation but a profound cultural change that will add recurring tasks to the various obliged parties, such as until now:

  • accounting,
  • tax filing,
  • the registration of accounting books and annual accounts, etc.

After the panic experienced in the preceding months and, above all, in the days surrounding its entry into force, it is time to educate about the fundamental changes and welcome with open arms a cultural change that is undoubtedly absolutely necessary.

So, what can we as citizens demand and what measures will companies and others obliged to comply with the regulation have to take?

Extension of rights for citizens

New rights

In addition to the already well-known ARCO rights (access, limitation, rectification and opposition), the popular Right to be Forgotten and the Right to Portability have been created . The latter obliges the data controller to provide the data subject with a complete copy of his or her data in electronic format and in a compatible format. The Right to be Forgotten, on the other hand, obliges the controller to erase all data held about a specific data subject.

The citizen as the owner of his or her own data

From the citizen's point of view, the new regulation allows us to regain real ownership of our data. From now on, personal databases will not be owned by a particular company but by the owners of those data.

This means that the company will use them in accordance with the legitimisation criteria established by the Regulation, mainly on the basis of the express consent given by the owner of the data or his or her guardian, and the company will therefore be considered responsible for the correct custody and protection of the data, but never the owner of the data.

The whole chain will be responsible

On the other hand, from the point of view of the company, professional or public institution, as we have already pointed out, henceforth the controller, they can no longer be considered owners of the personal data they handle, but rather responsible for their processing.

This means that they will have to adopt a proactive and responsible attitude and be involved in compliance by adopting and adapting to the new culture of personal data protection.

In fact, not only must the company protect the data, but it must also ensure that third parties involved who for various reasons have access to the data in its custody also comply with the rules and act responsibly in the processing of the data.

More obligations for companies

New registers and responsibilities

The obligation to register files with the AEPD has been abolished, but the Register of Processing Activities has been created as a legal requirement for companies with more than 250 employees or that process sensitive data or data that may generate significant risks for data subjects.

At the same time, the Register of Data Processors is also created out of common sense:

  • the Register of Data Processors,

  • the Register of Clients when acting as data processor,

  • the Register of requests from holders of rights over personal data,

  • the Register of Data Transfers and the Register of Incidents.

On the other hand, it will also be obligatory:

  • the risk analysis of each of the processing operations,

  • Privacy Impact Assessments ( PIAs ) when, due to their nature, scope, context and purpose, there is a reasonably high probability of harming the rights and freedoms of natural persons.

A new actor comes into play

The Data Protection Officer ( DPO ) is the natural person, specialised in law and with practical knowledge of data protection, who mediates between the company, the data subjects, third parties involved and the Spanish Data Protection Agency (AEPD), as well as assessing compliance systems, analysing risks and coordinating the different teams involved in the process of bringing into compliance and maintaining said compliance.

For the time being, only public administrations, except courts, and companies that carry out processing operations requiring regular and systematic observation of data subjects on a large scale and/or processing operations involving special categories of data on a large scale, such as health data, will be obliged to appoint a DPO. Moreover, also when required by EU member states in their internal regulations.

In the not-too-distant future, it is clear that the range of obliged companies will expand as processes are made easier and costs are reduced, for example with software tools.

In fact, the AEPD has stated on several occasions that companies that are not obliged to do so should voluntarily designate their DPO, as this offers enormous advantages.

Sanctions call for compliance

In view of the above and having understood who is the data controller and who is responsible, it should be noted, without the aim of scaring, that the penalties will range between 2% and 4% of the total annual global turnover of the previous financial year. 10 million for serious penalties and 20 million for very serious penalties.

Therefore, by way of example, an SME that earned €800,000 in 2017, whether or not it made a profit in 2017, will have to pay between €16,000 and €32,000 if it is penalised.

This is why it is important to take this cultural change very seriously and to prevent penalties as far as possible rather than plan to bear the cost, provision and wait. A very common practice in the past that no longer makes any sense today.

RGPD Software: Tools that are undoubtedly necessary

As we have seen, the new regulations require a great deal of effort, first of all by preparing dense legal studies and then an action plan that specifies each of the measures that must be carried out to demonstrate to a possible inspection that the regulations are being complied with and/or that all the actions considered necessary to comply with the regulations are being carried out proactively.

We, as advisors in the field, cannot ignore the existence of such software and their more than sound advice on the appropriate plan of action. Nor can we continue to propose the use of Excel spreadsheets to carry out the aforementioned records. Software has arrived in our profession and not only should we not be afraid of it, but we should adopt it as another tool to improve and enhance the quality of our work.

Can technology replace the work of lawyers?

Some companies may be almost on their own but very careful to follow the "instructions" correctly in order to avoid liability, but the future says that they will still need us .

Proof of this is that some GDPR software already offers a parallel platform for the advisor, whether or not acting as an internal or external DPO, to review and approve both the preparation of the action plan and its implementation. This is perhaps the best criterion for assessing the quality and usefulness of such software.

Regarding my personal experience in this regard, an issue that arises in any subject or area of law, it is essential that the lawyer-client communication is perfectly recorded, ordered and that it is possible to generate documents transcribing these conversations (e.g. PDF) in the event of any kind of conflict arising. Email is therefore close to becoming a thing of the past.

Jurists + technology = secure processing

This combination seems to be the perfect combination since, although the hours of advice and therefore the costs are greatly reduced, it will be wise for companies to continue to transfer the risk of the final advice on the matter to lawyers and thus to their insurance companies.

As to whether this will extend to other areas of law; the future is unpredictable, but everything points to the fact that it will undoubtedly do so.

Article translated from Spanish