search Where Thought Leaders go for Growth

GDPR: trigger for the union between lawyers and data protection software

GDPR: trigger for the union between lawyers and data protection software

By Francesc Alcaraz Gallego

Published: May 3, 2025

The future of legal advice undergoes its first important test with the arrival of the new Regulation on the protection of personal data.

The arrival of the complex regulation has led to the emergence of a series of software or IT tools that, on the one hand, facilitate the correct management of the obligations established by the new Law, but which also, on the other hand, aim to replace the actual legal work of advising on regulatory compliance.

What will be the scope of such advice? Who will be ultimately responsible? Will both service providers work together? Will it extend to other areas of law?

What does the GDPR entail?

Last May 25, the European Union Regulation 679/2016 on Personal Data Protection came into force and it did so to stay. It will therefore not involve a mere regulatory adaptation but a profound cultural change that will add recurring tasks to the various obligated parties, such as until now are:

  • accounting,
  • tax filing,
  • the registration of accounting books and annual accounts, etc.

After the panic experienced in the preceding months and, above all, in the days surrounding its entry into force, it is time to educate about the fundamental changes and welcome with open arms a cultural change that is undoubtedly absolutely necessary.

So, what can we demand as citizens and what measures will companies and other parties obliged to comply with the regulations have to adopt?

Expansion of citizens' rights

New rights

In addition to the already well-known ARCO rights (access, limitation, rectification and opposition), the popular Right to be Forgotten and the Right to Portability have been created . The latter obliges the data controller to provide the data subject with a complete copy of his or her data in electronic format and in a compatible format. The Right to be Forgotten, on the other hand, obliges the data controller to delete all data held on a specific data subject.

The citizen as the owner of his or her own data

From the citizen's point of view, the new regulation allows us to regain real ownership of our data. From now on, personal databases will not be the property of a particular company but of the owners of that data.

This means that the company will use them in accordance with the legitimacy criteria established by the Regulation, mainly on the basis of the express consent given by the owner of the data or his or her guardian, and the company will therefore be considered responsible for the correct custody and protection of the data, but never the owner of the data.

The whole chain will be responsible

On the other hand, from the point of view of the company, professional or public institution, as we have already pointed out, henceforth the data controller, they will no longer be considered owners of the personal data they handle, but responsible for its processing.

This means that they must adopt a proactive and responsible attitude, as well as be involved in compliance with the standard by adopting and adapting to the new culture of personal data protection.

In fact, not only must the company protect the data, but it must also ensure that the third parties involved, who for various reasons have access to the data in its custody, also comply with the regulations and act responsibly in the processing of the data .

More obligations for companies

New registers and responsibilities

The obligation to register files with the AEPD has been abolished, but the Register of Processing Activities has been created as a legal requirement for companies with more than 250 employees or that process sensitive data or data that may generate significant risks for data subjects.

At the same time, the Register of Data Processors is also born out of common sense:

  • the Register of Data Processors,

  • the Register of Clients when acting as data processor,

  • the Register of requests from holders of rights over personal data,

  • the Register of Data Transfers and the Register of Incidents.

On the other hand, it will also be mandatory:

  • the risk analysis of each of the processing operations,

  • Privacy Impact Assessments when, due to its nature, scope, context and purpose, there is a reasonably high probability of harming the rights and freedoms of natural persons.

A new player comes into play

The Data Protection Officer ( DPO ) is the natural person, a specialist in law and with practical knowledge of data protection, who mediates between the company, the interested parties, third parties involved and the Spanish Data Protection Agency (AEPD), in addition to evaluating compliance systems, analyzing risks and coordinating the various teams involved in the process of bringing into compliance and maintaining compliance.

For the time being, only public administrations, except courts, and companies that carry out processing operations requiring regular and systematic observation of data subjects on a large scale and/or processing operations involving special categories of data on a large scale, such as those relating to health, will be obliged to appoint a DPO. Moreover, also when required by the member states of the Union in their internal regulations.

In the not-too-distant future, it is clear that the range of obliged companies will be extended as processes are facilitated and costs are reduced, for example with software tools.

In fact, the AEPD has stated on several occasions that companies that are not obliged to do so should voluntarily appoint their DPO, as this offers enormous advantages.

Sanctions call for compliance

In view of the above and having understood who is the owner and who is responsible, it is worth warning, without the aim of scaring, that the penalties will range between 2% and 4% of the total annual global turnover of the previous financial year. 10 million for serious penalties and 20 million for very serious penalties.

Therefore, and by way of example, an SME that earned €800,000 in 2017, whether or not it made a profit in 2017, will have to pay between €16,000 and €32,000 if it is penalized.

This is why this cultural change should be taken very seriously and sanctions should be prevented as far as possible rather than planning to assume their cost, provisioning and waiting. A very common practice in the past that no longer makes any sense today.

RGPD software: Tools that are undoubtedly necessary

As we have seen, the new regulation requires a great deal of effort, first of all to prepare dense legal studies and then an action plan that specifies each of the measures that must be carried out to demonstrate to a possible inspection that the regulation is being complied with and/or that all the actions considered necessary to comply with the regulation are being carried out proactively.

We, as consultants in the field, cannot ignore the existence of such software nor their more than accurate advice regarding the appropriate plan of action. Nor can we continue to propose the use of Excel spreadsheets to carry out the aforementioned records. Software has arrived to our profession and not only we should not be afraid of it, but we should adopt it as another tool to improve and enhance the quality of our work.

Can technology replace the work of lawyers?

Some companies may walk almost alone but very attentive to correctly follow the "instructions" to avoid liability, however the future says that they will continue to need us .

Proof of this is that some GDPR software already offers a parallel platform for the advisor, whether or not acting as internal or external DPO, to review and approve both the development of the action plan and its implementation. Perhaps the best criterion that serves to assess the quality and usefulness of such software.

Regarding my personal experience in this regard, an issue that arises in any subject or area of law, it is essential that the attorney-client communication is perfectly recorded, ordered and that it is possible to generate documents transcribing such conversations (eg PDF) in case any conflict arises. Email is therefore close to becoming a thing of the past.

Jurists + technology = secure processing

This combination seems to be the perfect combination since, although the hours of advice and therefore the costs are greatly reduced, it will be wise for companies to continue to transfer the risk of the final advice on the matter to jurists and therefore to their insurance companies.

As to whether it will extend to other areas of law; the future is unpredictable, but everything points to the fact that it will undoubtedly do so.

Article translated from Spanish