Although Spain has adopted the GDPR (General Data Protection Regulation) like many other European Union countries, its application on the ground remains contrasted.
Like the CNIL in France, the SADP (Spanish Agency for Data Protection) has issued guidelines and published guides to support companies and facilitate their compliance with the GDPR, particularly with regard to the management of cookies and associated consents. “The SADP’s guidelines are very similar to those of the CNIL, but in practice, there is not a strong official pressure for all actors to take up the subject quickly and globally,” says Juan Vázquez, Director for the Iberian region of Commanders Act.
This feeling is also reflected in the figures. Yes, Spain is at the top of the rankings if we look at the number of fines imposed, but is rather at the bottom if we look at the average amount: 131,564 euros compared to 10.79 million euros in France. In this context, can the French experience inspire the Spanish market? What lessons can be learned from it? The summary in 5 lessons.
Learning #1: Don’t Think It’s Just About Others
In Spain, the SADP is paying special attention to Telcos such as Vodafone, banks such as Caixabank and BBVA, and airlines such as Iberia and Vueling. A pressure that has strongly encouraged companies in these sectors to take up the issue. “I think there are significant differences in the level of compliance depending on the sector of activity, with players in the telecommunications or financial sectors, whose activity is directly related to the processing of personal data, clearly above average”, analyzes Santiago Vázquez-Graña, DPO of Capgemini Spain.
Should other sectors and smaller players feel immune? Probably not. As the French experience has shown, even if the CNIL does not necessarily have the means to investigate all sectors at the same time, campaigns follow one another to review the various sectors of the economy. It is difficult to see how actors in the tourism sector, which accounts for more than 10% of GDP, can escape the investigations of the SADP.
In short, whether it is a large company or a small or medium-sized enterprise, all the players, especially those whose activities are exposed in one way or another, may appear on the radar of the authorities.
Learning #2: Don’t wait for the skills shortage
GDPR and the directives issued by national authorities form a complex set to interpret. Beyond the modalities of consent management, subjects such as the retention period may require the support of experts. The same applies to technical implementation. In other words, it is better not to wait for a general market adoption movement before taking the plunge – unless you want to pay a high price for skills that are not readily available. In France, where companies have often waited until the last moment to invest in the subject, specialized law firms have quickly been missed…
Learning #3: Don’t think you’ve solved the problem with server-side
The announced end of cookies has led companies to launch migrations to the server-side. In other words, the collection of information is no longer handled on the browser side, but on the server-side (read our white paper “How to prepare for cookieless?” ). These migrations are sometimes accompanied by a question: since the collection is done “cookieless”, is there no need for consent anymore?
Considering the efforts made to switch to server-side, the shortcut is tempting, but… no. Server-side is just a technical collection modality with no impact on consent management requirements. That’s why the Commanders Act CMP was designed from the start to propagate the consent signal in server-side mode.
Learning #4: Thinking about managing global user preferences
How do you manage consent? Case by case, site by site, channel by channel? So, deal with the site, then the app and later the chatbot? Feedback shows that companies like the French Army (l’Armée de Terre) or Floa Bank that opt for a global approach to the subject enjoy a better return on investment.
By addressing consent holistically through a user preference management center, the company streamlines its efforts and greatly minimizes the risk of non-compliance. “In the absence of such an approach, many chatbots in Spain are not attached to a CMP”, observes Juan Vázquez.
Learning #5: Consider preference management as an investment
As a corollary to the previous point, the next step in consent management is to no longer consider the subject as a cost, but as an investment, or even as a competitive advantage that the company can take advantage of. In Spain, “the costs associated with compliance (…) and the general view of compliance as a hindrance to business rather than as a source of added value to the relationship with the customer, explain why many companies do not invest the necessary resources to adapt to the new regulatory reality” , says Legal Army in an interview with Silicon.es.
However, the situation seems to be gradually changing. Let’s hope that, as in France, a growing number of companies will make consent management an attractive argument in its own right.