The Director of DPA (Director) announced in October that professional associations, including bar associations, must appoint a DPO.

The Director made clear that the DPO will be a key figure within the new model for public bodies and entities that process personal data on a large scale or carry out profiling. Accordingly the new Spanish Data Protection Act, which is likely to be finalised in coming weeks, will include examples of entities that must appoint a DPO, such as professional associations.

Though the GDPR does not contain specific security measures, the Director said that it included the key term "proactive responsibility", which implies that companies and organizations will decide the measures to take depending on the risk analysis carried out. This risk analysis based approach is key given the penalties introduced by the GDPR, where the maximum penalty will increase from EUR 600,000 to EUR 20 million. This in addition to the reputational damage to a company should it fail to preserve its clients' privacy.

The director of the DPA also summarized the actions being carried out by the DPA to help SMEs adapt to these new obligations, such as the "Facilita RGPD" tool for entities that carry out basic processing of personal data.