The Spanish Data Protection Agency (DPA) has published a document, called "The new GDPR and its impact on the activities of Local Administrations" (Report), which summarizes the main measures that Local Administrations must implement to comply with the GDPR before 25 May 2018.

Key measures considered in the Report include: the need to plainly identify the purposes and legal basis of processing personal data, the need to adapt the information offered to data subjects, the need to establish simple and accessible mechanisms for data subjects to exercise their rights, and the need to establish mechanisms that promote prompt answers, within the period identified in the GDPR, when such rights are exercised.

Additionally, the Report addresses the need to carry out a risk analysis of the processing of personal data. This will mean establishing both an activity registry and mechanisms to identify the existence of security breaches and respond to them, and to appoint a Data Protection Officer (DPO). However, as Local Administrations are not always able to appoint a DPO, the DPA recommends that Provincial Councils offer Local Administrations these services or appoint a DPO for several entities.