In order to promote and disseminate knowledge about risk management for the rights and freedoms of natural persons, the AEPD (Spanish Data Protection Authority) develops resources and tools to promote compliance with the RGPD, focusing attention on supporting SMEs and entrepreneurs.
Breaking news regarding accountability
- Federated Learning: Artificial Intelligence without compromising privacy [apr 2023]
- Guidelines for conducting a data protection impact assessment in regulatory development [abr 2023]
- AI: System vs Processing, Means vs Purposes [apr 2023]
- Guidelines to manage data breach risk in public sector bodies massive data communications [mar 2023]
- UEBA and data protection [mar 2023]
Basic tools for accountability compliance
The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers. This section lists those tools that are common to all types of processing. In the section "Guides, reports and technical notes" you can find specific material that extends their scope to specific treatments, technologies or controllers.
In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.
Risk management and Impact Assessment regarding Data Protection
The following resources support the obligation to carry out a risk analysis of personal data processing, and in case that is needed, the obligation to carry out a data protection impact assessment:
- Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
- Guidelines for conducting a data protection impact assessment in regulatory development [abr 2023]
- List of tables of the guidelines Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
- Checklist for determining the formal adequacy of a DPIA and the submission of prior consultation [jun 2021]
- List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
- Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [april 2022]
- Template For Data Protection Impact Assessment Report (DPIA) For Private Sector [mar 2022]
- Tool for the analysis of risk factors: EVALUA-RISK v2 [sep 2022]
- Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR [may 2019]
- Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE [jun 2020]
There are more resources about risk management and DPIA in the main section: Risk management
Data Protection by Design and by Default
The following resources support the obligation to take into account, from the initial stages of definition and analysis of the processing, appropriate technical and organisational measures for ensuring, by design and by default, data protection principles implementation:
- A Guide to Privacy by Design [oct 2019]
- Guidelines for Data Protection by Default [oct 2020]
- Protección de datos por defecto: Listado de medidas (only in Spanish, soon available in English) [sep 2020]
Personal Data Breach Management
The following resources support the obligation to implement incident recording and notification mechanisms in order to properly manage any possible breach.
- Guidelines on Personal Data Breach Notification [may 2021]
- Infographic: Personal Data Breach Communication [oct 2022]
- Tool to assess the personal data breach notification to the Data Protection Authority: ASESORA BRECHA [oct 2022]
- Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD [oct 2020]
- Personal Data Breach Notification Form [jun 2021]
- Security breach site (only in Spanish, soon available in English)
Application sectors and technologies
In order to respond to sectors of activity or technologies that incorporate singularities in data processing, referenced is made below to resources of interest, both national and international, that can serve as support to comply with the principle of accountability. At this time, published materials and resources cover the following areas:
- Anonymisation and Pseudonymisation
- Artificial Intelligence and automated decisions
- Big Data
- Biometrics
- Blockchain
- Cloud computing
- Covid-19 Pandemic
- Data protection by design and by default
- Encryption and privacy
- Governance and data protection policies
- Internet and mobile systems
- Internet of Things (IoT) and connected systems
- Personal data breach and security
- Public Administrations
- Risk management
- Telecommuting
Anonymisation and Pseudonymisation
Guidelines and technical surveys
- 10 Misunderstandings related to anonymisation [april 2021]
- Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
- K-anonymity as a privacy measure [jun 2019]
Posts
- Anonymization III: The risk of re-identification [feb 2023]
- Anonymisation and pseudonymisation (II): Differential privacy [oct 2021]
- Anonymisation and pseudonymisation [oct 2021]
International recommendations and guidelines
- ART.29 WP: Opinion 05/2014 on Anonymisation Techniques [april 2014]
- ENISA Report - Data Pseudonymisation - Advanced Techniques and Use Cases [jan 2021]
- ENISA: Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018]
Tools
- PDPC SINGAPURE: Guide to Basic Anonymisation [mar 2022]
- PDPC SINGAPURE: Basic Data Anonymisation Tool [mar 2022]
Artificial Intelligence and automated decisions
Due to the big use of the artificial intelligence in biometrics, in the following link you can find some very interesting information about Biometrics
Guidelines and technical surveys
- Reference map of personal data processing that embed artificial intelligence [nov 2022]
- 10 Misunderstandings about Machine Learning [sep 2022]
- Audit Requirements for Personal Data Processing Activities involving AI [jan 2021]
- GDPR compliance of processing that embed Artificial Intelligence. An introduction [feb 2020]
Posts
- Federated Learning: Artificial Intelligence without compromising privacy [apr 2023]
- AI: System vs Processing, Means vs Purposes [apr 2023]
International recommendations and guidelines
- EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [jun 2021]
- European Commission - IA HLEG: A definition of AI: Main capabilities and disciplines [april 2019]
- European Commission - IA HLEG: Ethics guidelines for trustworthy AI [april 2019]
- Council of Europe: Guidelines on Artificial Intelligence and Data Protection [jan 2019]
- Council of Europe: Artificial Intelligence and Data Protection: Challenges and Possible Remedies [jan 2019]
- ART.29 WP: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
- ART.29 WP: Opinion 02/2013 on apps on smart devices [feb 2013]
- UNESCO: Recommendation on the Ethics of Artificial Intelligence [2021]
Big data
International recommendations and guidelines
- EDPS: Meeting the challenges of big data [nov 2015]
Biometrics
Due to the big use of the artificial intelligence in biometrics, in the following link you can find some very interesting information about Artificial Intelligence and automated decisions
Guidelines and technical surveys
Post
International recommendations and guidelines
- EDPS: Facial Emotion Recognition [may 2021]
- Council of Europe - Convention 108: Guidelines on Facial Recognition [jan 2021]
- ART.29 WP: Opinion 3/2012 on developments in biometric technologies [april 2012]
Blockchain
Posts
- Blockchain (III): Smart Contracts and personal data [mar 2022]
- Blockchain (II): Basic concepts [nov 2020]
International recommendations and guidelines
Cloud computing
International recommendations and guidelines
- EDPB: 2022 Coordinated Enforcement Action - use of cloud-based services by the public sector [jan 2023]
- EDPB: Annex: National Reports on the CEF cloud action [jan 2023]
- ART.29 WP: Opinion 05/2012 on Cloud Computing [jul 2012]
Covid-19 Pandemic
Guidelines and technical surveys
- Guidelines for social distance and access control apps due to COVID-19 [jun 2020]
- Technologies in the fight against COVID19 [may 2020]
Posts
- Personal data and emergencies [april 2020]
- Phishing Campaigns Regarding The Coronavirus [mar 2020]
International recommendations and guidelines
- EDPB: Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak [april 2020]
- EDPB: Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak [april 2020]
- EDPS: Contact Tracing with Mobile Applications [may 2020]
Data protection by design and by default
Guidelines and technical surveys
- Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
- Guidelines for Data Protection by Default [oct 2020]
- A Guide to Privacy by Design [oct 2019]
Posts
- Privacy by Design: Secure Multi-Part Computation: Additive Sharing of Secrets [may 2022]
- Privacy Engineering [sep 2019]
International recommendations and guidelines
- EDPB: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [oct 2020]
- EDBP: Response to the proposal of a member of the European Parliament regarding the possibility of requiring that all new laptops entering the European Union market be equipped with a camera cover [jun 2020]
- ENISA – Engineering Personal Data Sharing [jan 2023]
- ENISA Report - Data Protection Engineering [jan 2022]
- ENISA: Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dec 2018]
- NIST (National Institute of Standards and Technology): Privacy-Enhancing Cryptography to Complement Differential Privacy [nov 2021]
- NIST (National Institute of Standards and Technology): Automatic Proofs of Differential Privacy [jul 2021]
- NIST (National Institute of Standards and Technology): Testing for Differential Privacy Bugs [jun 2021]
- NIST (National Institute of Standards and Technology): Differential Privacy Bugs and Why They’re Hard to Find [may 2021]
- NIST (National Institute of Standards and Technology): Differentially Private Synthetic Data [may 2021]
- NIST (National Institute of Standards and Technology): Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
- NIST (National Institute of Standards and Technology): Workloads of Counting Queries: Enabling Rich Statistical Analyses with Differential Privacy [feb 2021]
- NIST (National Institute of Standards and Technology): Summation and Average Queries: Detecting Trends in Your Data [dec 2020]
- NIST (National Institute of Standards and Technology): Counting Queries: Extracting Key Business Metrics from Datasets [oct 2020]
- NIST (National Institute of Standards and Technology): Threat Models for Differential Privacy [sep 2020]
- NIST (National Institute of Standards and Technology): Differential Privacy for Privacy-preserving Data Analysis: An Introduction to our Blog Series [ jul 2020]
- NIST: Privacy Framework
- NIST: Privacy Engineering Program
- Harvard University: Privacy Tools Project
Encryption and privacy
Posts
- Encryption and Privacy V: The key as personal data [dec 2021]
- Encryption and Privacy IV: Zero Knowledge Proofs [nov 2020]
- Encryption and Privacy III: Homomorphic encryption [jun 2020]
- Encryption and Privacy II: Lifespan of personal data [jan 2020]
- Encryption and Privacy: Encryption in the GDPR [nov 2019]
International recommendations and guidelines
- EDPB: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data [jun 2021]
- EDPS: Quantum Computing and Cryptography [aug 2020]
- ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU [april 2018]
Governance and data protection policies
Posts
- When to review data protection measures [feb 2023]
- Group Privacy [oct 2020]
- Data Governance and Data Protection Policy [sep 2020]
- Consent receipt: A tool for transparency and proactive accountability [feb 2020]
International recommendations and guidelines
- EDPB: Guidelines 07/2020 on the concepts of controller and processor in the GDPR [jul 2021]
- EDPB: Guidelines 05/2020 on consent under Regulation 2016/679 [may 2020]
- EDPS: Personal Information Management Systems [jan 2020]
- EDPS: EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data [dec 2019]
- ART.29 WP: Guidelines on the right to data portability [april 2017]
- EPDS: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit [april 2017]
- ART.29 WP: Guidelines on Data Protection Officers (DPO) and "large-scale" notion [dec 2016]
Internet and mobile systems
Guidelines and technical surveys
- Guide on use of cookies [jan 2021]
- Measures to minimise internet tracking [sep 2020]
- Infographic: Measures to minimise internet tracking [sep 2020]
- Introduction to 5G technologies and their risks in terms of privacy [may 2020]
- Protection of minors on the Internet [april 2020]
- DNS Privacy [nov 2019]
- The duty to inform and other accountability measures for mobile devices [may 2019]
- Access to applications on the screen for Android devices [may 2019]
- User controls for ad personalisation on Android [may 2019]
- Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
- Survey about preinstalled apps in Android and privacy risks [mar 2019]
- Survey on Device Fingerprinting [feb 2019]
Posts
- UEBA and data protection [mar 2023]
- Metaverse and Privacy [jun 2022]
- Dark patterns: Manipulation in internet services [may 2022]
- HTTPS: Encryption on the Web [april 2021]
- Identification in online payment services [dec 2020]
- Privacy risks when logging in other applications with social media accounts [oct 2020]
- URL shorteners [jul 2020]
- Recommendations to Prevent Digital Harassment [may 2020]
International recommendations and guidelines
- EDPS: TechDispatch 1/2022 Federated Social Media Platforms [jul 2022]
- EDPB: Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them [mar 2022]
- EDPB: Guidelines 8/2020 on the targeting of social media users [april 2021]
Internet of Things (IoT) and Connected Systems
Guidelines and technical surveys
- Infographic: Privacy Risks of Internet of Things at Home [mar 2021]
- Guide on drones and data protection [may 2019]
Posts
- Neurodata: privacy and protection of personal data (II) [jan 2023]
- Neurodata and neurotechnology: privacy and protection of personal data [nov 2022]
- IoT (III): IoT Home Automation [may 2021]
- IoT (II): from the internet of things to the internet of bodies [jan 2021]
- Connected Cars [april 2020]
- IoT (I): What is IoT and which risks does it entail [dec 2020]
International recommendations and guidelines
- EDPB: Guidelines 02/2021 on Virtual Voice Assistants [jul 2021]
- EDPB: Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications [mar 2021]
- EDPB: Guidelines 3/2019 on processing of personal data through video devices [jul 2019]
- EDPS: Connected Cars [dec 2019]
- EDPS: Smart Meters in Smart Homes [oct 2019]
- EDPS: Smart Speakers and Virtual Assistants [jul 2019]
- ART.29 WP: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]
Personal data breach and security
Guidelines and technical surveys
- Guidelines on Personal Data Breach Notification [may 2021]
- Infographic: Personal Data Breach Communication [oct 2022]
Tools
- Tool to assess the personal data breach notification to the Data Protection Authority: ASESORA BRECHA [oct 2022]
- Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD [oct 2020]
Templates and forms
Posts
- Personal Data Breaches: Development and Pre-Production Environments [april 2022]
- Without privacy there is no cybersecurity [feb 2022]
- Personal data breaches: Ransomware and risk management [dec 2020]
- Personal data breaches: online productivity platforms [jun 2020]
- Data protection and security [april 2020]
- Personal data security breaches: Top 5 technical measures to be taken into account [april 2020]
- Notification of personal data security breaches during the state of alarm [april 2020]
- Phishing Campaigns Regarding The Coronavirus [mar 2020]
- Data breach: communication to the to the data subject [feb 2020]
- Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
- Personal data breaches: what they are and how to respond [jun 2019]
- Personal data breaches: protect yourself against ransomware [may 2019]
International recommendations and guidelines
- EDPB: Guidelines 01/2021 on Examples regarding Data Breach Notification [dec 2021]
- ART.29 WP: Guidelines on Personal data breach notification under Regulation 2016/679 [feb 2018]
- ENISA: Handbook on Security of Personal Data Processing [dec 2017]
- ENISA: Guidelines for SMEs on the security of personal data processing [dec 2016]
Public Administrations
Guidelines and technical surveys
- Guidelines for conducting a data protection impact assessment in regulatory development [abr 2023]
- Guidelines to manage data breach risk in public sector bodies massive data communications [mar 2023]
- Guidelines on Cookies and Web Analytics in Public Administration Websites [feb 2023]
- Technologies and Data Protection in Public Administrations [dec 2020]
- Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]
Templates and forms
-
Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [april 2022]
International recommendations and guidelines
Risk management
Guidelines and technical surveys
- Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
- List of tables of the guidelines Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
- List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
Tools
- Tool for the analysis of risk factors: EVALUA-RISK v2 [sep 2022]
- Tool for conducting risk analysis and data protection impact assessments (only in Spanish, soon available in English) [jul 2019]
- Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR [may 2019]
- Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE [jun 2020]
Templates and forms
- Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [april 2022]
- Template For Data Protection Impact Assessment Report (DPIA) For Private Sector [mar 2022]
- Checklist for determining the formal adequacy of a DPIA and the submission of prior consultation [feb 2022]
Posts
- Do you know Gestiona? [jan 2020]
International recommendations and guidelines
- ART.29 WP: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [oct 2017]
- ART.29 WP: Statement on the role of a risk-based approach in data protection legal frameworks [mayo 2014]
- NIST (National Institute of Standards and Technology): SP 800-53B Security and Privacy Controls for Information Systems and Organizations [sep 2020]
- NIST: Spreadsheet (.xlsx) version of SP 800-53B controls [sep 2020]
Telecommuting
Guidelines and technical surveys
Posts
- Telecommuting and data protection in the digital sphere [jul 2021]
- Privacy in Online Meetings [feb 2021]
International recommendations and guidelines