Última revisión
In order to promote and disseminate knowledge about risk management for the rights and freedoms of natural persons, the AEPD (Spanish Data Protection Authority) develops resources and tools to promote compliance with the RGPD, focusing attention on supporting SMEs and entrepreneurs.
Breaking news regarding accountability
- Telecommuting and data protection in the digital sphere
- Guidelines on Personal Data Breach Notification
- Personal Data Breach Notification Form
- IoT (III): IoT Home Automation
- 10 Misunderstandings related to anonymisation
Basic tools for accountability compliance
The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers. This section lists those tools that are common to all types of processings. In the section "Guides, reports and technical notes" you can find specific material that extends their scope to specific treatments, technologies or controllers.
In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.
Risk management
The following resources support the obligation to carry out a risk analysis of personal data processings:
- Guía práctica de análisis de riesgos para el tratamiento de datos personales (only in Spanish, soon available in English)
- Tool for conducting risk analysis and data protection impact assessments (only in Spanish, soon available in English)
- Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR
- Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE
Data Privacy Impact Assessment
The following resources support the obligation to carry out a data privacy impact assessment of personal data processings:
- Guía práctica para las evaluaciones de impacto en la protección de datos personales (only in Spanish, soon available in English)
- List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
- Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations
- Template For Data Protection Impact Assessment Report (DPIA) For Private Sector
Data Protection by Design and by Default
The following resources support the obligation to take into account, from the initial stages of definition and analysis of the processing, appropriate technical and organisational measures for ensuring, by design and by default, data protection principles implementation:
- A Guide to Privacy by Design
- Guidelines for Data Protection by Default
- Protección de datos por defecto: Listado de medidas (only in Spanish, soon available in English)
Personal Data Breach Management
The following resources support the obligation to implement incident recording and notification mechanisms in order to properly manage any possible security breache that may arise during personal data processing.
- Guidelines on Personal Data Breach Notification
- Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD
- Personal Data Breach Notification Form
- Security breach site (only in Spanish, soon available in English)
Application sectors and technologies
In order to respond to sectors of activity or technologies that incorporate singularities in data processing, referenced is made below to resources of interest, both national and international, that can serve as support to comply with the principle of accountability. At this time, published materials and resources cover the following areas:
- Anonimity
- Artificial Inteligence and automated decisions
- Big Data
- Biometrics
- Blockchain
- Cloud computing
- Covid-19 Pandemic
- Data protection by desing and bu default
- Encryption and privacy
- Governance and data protection policies
- Internet and mobile systems
- Internet of Things (IoT) and connected systems
- Personal data breach and security
- Public Administrations
- Risk management
- Telecommuting
Anonimity
Guidelines and technical surveys
- 10 Misunderstandings related to anonymisation [april 2021]
- Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
- K-anonymity as a privacy measure [jun 2019]
International recommendations and guidelines
- ENISA: Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018]
- ART.29 WP: Opinion 05/2014 on Anonymisation Techniques [april 2014]
Artificial Inteligence and automated decisions
Guidelines and technical surveys
- Audit Requirements for Personal Data Processing Activities involving AI [jan 2021]
- GDPR compliance of processings that embed Artificial Intelligence. An introduction [feb 2020]
International recommendations and guidelines
- EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [jun 2021]
- European Commission - IA HLEG: A definition of AI: Main capabilities and disciplines [april 2019]
- European Commission - IA HLEG: Ethics guidelines for trustworthy AI [april 2019]
- Council of Europe: Guidelines on Artificial Intelligence and Data Protection [jan 2019]
- Council of Europe: Artificial Intelligence and Data Protection: Challenges and Possible Remedies [jan 2019]
- ART.29 WP: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
- ART.29 WP: Opinion 02/2013 on apps on smart devices [feb 2013]
Big data
International recommendations and guidelines
- EDPS: Meeting the challenges of big data [nov 2015]
Biometrics
Guidelines and technical surveys
International recommendations and guidelines
- EDPS: Facial Emotion Recognition [may 2021]
- Council of Europe: Guidelines on Facial Recognition [ene 2021]
- ART.29 WP: Opinion 3/2012 on developments in biometric technologies [april 2012]
Blockchain
Posts
-
Blockchain (II): Basic concepts [nov 2020]
Cloud computing
International recommendations and guidelines
Covid-19 Pandemic
Guidelines and technical surveys
- Guidelines for social distance and access control apps due to COVID-19 [jun 2020]
- Technologies in the fight against COVID19 [may 2020]
Posts
- Personal data and emergencies [april 2020]
- Phishing Campaigns Regarding The Coronavirus [mar 2020]
International recommendations and guidelines
Data protection by design and by default
Guidelines and technical surveys
- Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
- Guidelines for Data Protection by Default [oct 2020]
- A Guide to Privacy by Design [oct 2019]
Posts
- Privacy Engineering [sep 2019]
International recommendations and guidelines
- NIST (National Institute of Standards and Technology): Automatic Proofs of Differential Privacy [jul 2021]
- NIST (National Institute of Standards and Technology): Testing for Differential Privacy Bugs [jun 2021]
- NIST (National Institute of Standards and Technology): Differential Privacy Bugs and Why They’re Hard to Find [may 2021]
- NIST (National Institute of Standards and Technology): Differentially Private Synthetic Data [may 2021]
- NIST (National Institute of Standards and Technology): Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
- NIST (National Institute of Standards and Technology): Workloads of Counting Queries: Enabling Rich Statistical Analyses with Differential Privacy [feb 2021]
- NIST (National Institute of Standards and Technology): Summation and Average Queries: Detecting Trends in Your Data [dec 2020]
- NIST (National Institute of Standards and Technology): Counting Queries: Extracting Key Business Metrics from Datasets [oct 2020]
- EDPB: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [oct 2020]
- NIST (National Institute of Standards and Technology): Threat Models for Differential Privacy [sep 2020]
- NIST (National Institute of Standards and Technology): Differential Privacy for Privacy-preserving Data Analysis: An Introduction to our Blog Series [ jul 2020]
- Response to the proposal of a member of the European Parliament regarding the possibility of requiring that all new laptops entering the European Union market be equipped with a camera cover [jun 2020]
- ENISA: Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dic 2018]
- NIST: Privacy Framework
- NIST: Privacy Engineering Program
- Harvard University: Privacy Tools Project
Encryption and privacy
Posts
- Encryption and Privacy IV: Zero Knowledge Proofs [nov 2020]
- Encryption and Privacy III: Homomorphic encryption [jun 2020]
- Encryption and Privacy II: Lifespan of personal data [jan 2020]
- Encryption and Privacy: Encryption in the GDPR [nov 2019]
International recommendations and guidelines
- EDPS: Quantum Computing and Cryptography [aug 2020]
- ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal datain the EU [apr 2018]
Governance and data protection policies
Posts
- Group Privacy [oct 2020]
- Data Governance and Data Protection Policy [sep 2020]
- Consent receipt: A tool for transparency and proactive accountability [feb 2020]
International recommendations and guidelines
- EDPB: Guidelines 07/2020 on the concepts of controller and processor in the GDPR [sep 2020]
- EDPB: Guidelines 05/2020 on consent under Regulation 2016/679 [may 2020]
- EDPS: Personal Information Management Systems [ene 2020]
- EDPS: EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data [dic 2019]
- ART.29 WP: Guidelines on the right to data portability [april 2017]
- EPDS: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit [abril 2017]
- ART.29 WP: Guidelines on Data Protection Officers (DPO) and "large-scale" notion [dec 2016]
Internet and mobile systems
Guidelines and technical surveys
- Guide on use of cookies [jan 2021]
- Measures to minimise internet tracking [sep 2020]
- Infographic: Measures to minimise internet tracking [sep 2020]
- Introduction to 5G technologies and their risks in terms of privacy [may 2020]
- Protection of minors on the Internet [april 2020]
- DNS Privacy [nov 2019]
- The duty to inform and other accountability measures for mobile devices [may 2019]
- Access to applications on the screen for Android devices [may 2019]
- User controls for ad personalisation on Android [may 2019]
- Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
- Survey about preinstalled apps in Android and privacy risks [mar 2019]
- Survey on Device Fingerprinting [feb 2019]
Posts
- HTTPS: Encryption on the Web [april 2021]
- Identification in online payment services [dec 2020]
- Privacy risks when logging in other applications with social media accounts [oct 2020]
- URL shorteners [jul 2020]
- Recommendations to Prevent Digital Harassment [may 2020]
Internet of Things (IoT) and Connected Systems
Guidelines and technical surveys
- Infographic: Privacy Risks of Internet of Things at Home [mar 2021]
- Guide on drones and data protection [may 2019]
Posts
- IoT (III): IoT Home Automation [may 2021]
- IoT (II): from the internet of things to the internet of bodies [jan 2021]
- Connected Cars [april 2020]
- IoT (I): What is IoT and which risks does it entail [dec 2020]
International recommendations and guidelines
- Guidelines 02/2021 on Virtual Voice Assistants [jul 2021]
- Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications [mar 2021]
- EDPS: Connected Cars [dic 2019]
- EDPS: Smart Meters in Smart Homes [oct 2019]
- EDPB: Directrices 3/2019 sobre el tratamiento de datos personales a través de dispositivos de vídeo [jul 2019]
- EDPS: Smart Speakers and Virtual Assistants [jul 2019]
- ART.29 WP: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]
Personal data breach and security
Guidelines and technical surveys
Tools
Templates and forms
Posts
- Personal data breaches: Ransomware and risk management [dec 2020]
- Personal data breaches: online productivity platforms [jun 2020]
- Data protection and security [april 2020]
- Personal data security breaches: Top 5 technical measures to be taken into account [april 2020]
- Notification of personal data security breaches during the state of alarm [april 2020]
- Phishing Campaigns Regarding The Coronavirus [mar 2020]
- Data breach: communication to the to the data subject [feb 2020]
- Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
- Personal data breaches: what they are and how to respond [jun 2019]
- Personal data breaches: protect yourself against ransomware [may 2019]
International recommendations and guidelines
- ART.29 WP: Guidelines on Personal data breach notification under Regulation 2016/679 [feb 2018]
- ENISA: Handbook on Security of Personal Data Processing [dic 2017]
- ENISA: Guidelines for SMEs on the security of personal data processing [dic 2016]
Public Administrations
Guidelines and technical surveys
- Technologies and Data Protection in Public Administrations [dec 2020]
- Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]
Templates and forms
International recommendations and guidelines
Risk management
Guidelines and technical surveys
- Guía práctica de análisis de riesgos para el tratamiento de datos personales (only in Spanish, soon available in English)
- Guía práctica para las evaluaciones de impacto en la protección de datos personales (only in Spanish, soon available in English)
- List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
Tools
- Tool for conducting risk analysis and data protection impact assessments (only in Spanish, soon available in English)
- Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR
- Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE
Templates and forms
- Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations
- Template For Data Protection Impact Assessment Report (DPIA) For Private Sector
Posts
-
Do you know Gestiona? [jan 2020]
International recommendations and guidelines
- NIST (National Institute of Standards and Technology): SP 800-53B Security and Privacy Controls for Information Systems and Organizations [sep 2020]
- NIST: Spreadsheet (.xlsx) version of SP 800-53B controls
- ART.29 WP: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [april 2017]
Telecommuting
Guidelines and technical surveys
Posts
- Telecommuting and data protection in the digital sphere [jul 2021]
- Privacy in Online Meetings [feb 2021]
International recommendations and guidelines