Analysis · Consulting

The briefing .

Regulatory, strategy and compliance analysis for business owners who already have traction. Fortnightly ; no noise.

Compliance · AI Act

On 2 August, "we'll deal with it later" runs out .

High-risk systems come into full effect. Which companies thought they were exempt and turn out not to be — and where to start if nothing has been done yet.

RGPD

The AEPD no longer warns: it fines on the first offence

M&A

Why compliance due diligence sinks more deals than EBITDA

NIS2

Your mid-sized company probably falls under NIS2 without knowing it

28 MAY 2026

Criminal compliance is not a document: it is a habit

A UNE 19601 programme only exempts liability if it is kept alive. How to maintain it between audits.

21 MAY 2026

Data governance: the layer CSRD takes for granted

Without data owners or a data catalogue, the sustainability report is built on sand.

14 MAY 2026

Interim management: filling the gap for exactly the right amount of time

Neither leaving management vacant nor improvising a promotion. The third way.

07 MAY 2026

ENS for SMEs: the gateway to the public sector

How to fit into the right category before overspending.

30 APR 2026

The strategic plan that embeds regulation from the start

Why the classic consultancy's PowerPoint ages badly in 2026.

23 APR 2026

Sector-specific DPO: a parish is not a dental clinic

The value lies in the specialists who understand the sector, not in the price.

All articles

10 July 2026

How to Choose an External DPO Provider: 10 Criteria Before You Sign

Choosing an external DPO should not come down to comparing quotes. This guide gives ten objective criteria —conflict of interest, qualification, sector specialisation, proximity, contractual deliverables, 72-hour breach response and price transparency— to filter any proposal before signing, without naming competitors.

Read article
10 July 2026

How to Notify a DPO to the AEPD: A Step-by-Step Communication Guide

Appointing a DPO does not end with signing the designation letter: Article 37.7 of the GDPR requires notifying the AEPD and publishing the DPO's contact details. This guide explains the step-by-step procedure on the Electronic Office, the deadlines, the most common mistakes and what you risk by delaying.

Read article
10 July 2026

Record of Processing Activities (RAT): who must keep one and how to do it

Many SMEs believe they are exempt from keeping a Record of Processing Activities because they have fewer than 250 employees. Article 30.5 of the GDPR says otherwise: the exemption only protects a handful of very specific cases. This guide debunks the myth and explains, field by field, how to build a RAT as controller and as processor.

Read article
10 July 2026

Fines for Not Having a DPO: What You Risk Under the GDPR and Spain's LOPDGDD

Not having a DPO when the law requires one is not an administrative oversight: it is a codified infringement that the AEPD can sanction under Article 83.4 of the GDPR, and one that Spain's LOPDGDD grades within its own penalty regime. This guide explains exactly what is being sanctioned, at what amounts, when it lapses, and how to avoid it.

Read article
June 22, 2026

GDPR in human resources: what employee data your company may process

The GDPR and the LOPDGDD (Spain’s Organic Law on Personal Data Protection and Digital Rights Guarantee) establish a specific framework for processing employee data that goes far beyond payroll: legal bases, digital rights at work, working-time records and special categories of data are the pillars every company must understand in order to comply with the regulations.

Read article
June 22, 2026

Candidate Data in Recruitment Processes: What the GDPR Requires

Whenever a company receives a CV, runs a recruitment process or views a candidate's LinkedIn profile, it is processing personal data subject to the GDPR; understanding the specific obligations—legal basis, retention period, required information and social-media limits—is essential to avoid infringements.

Read article
June 23, 2026

Fleet and Company Vehicle Geolocation: GDPR Limits

Installing a GPS system in company vehicles involves processing employees' personal data: article 90 of the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights) sets the rules, and the AEPD (Spanish Data Protection Authority) has declared unlawful those processing operations that failed to provide prior information or that tracked employees outside working hours.

Read article
June 22, 2026

What to Do During an AEPD Inspection: A Step-by-Step Companion Guide

Receiving a communication from the AEPD (Spain's Data Protection Agency) triggers a process with strict deadlines and significant legal consequences. Understanding the phases, knowing your rights, and having the right documentation ready makes the difference between responding with authority or being caught at a disadvantage.

Read article
June 25, 2026

Video surveillance in homeowners' associations: what the AEPD allows

Installing cameras in the common areas of a homeowners' association requires compliance with the GDPR, the LOPDGDD and the Spanish Horizontal Property Act: from the general meeting resolution to the information notice, the maximum thirty-day retention period and strict control of access to recordings.

Read article
June 29, 2026

Security incident management protocol for companies

Knowing what to do in the first hours after detecting a security incident makes the difference between an orderly response and a crisis that spirals out of control: we walk you through the phases of a real protocol, from detection to lessons learned.

Read article
28 June 2026

How to Report a Data Breach to the Spanish DPA within 72 Hours

When a security breach occurs, the clock starts from the moment you become aware of the incident. The General Data Protection Regulation sets a 72-hour deadline to notify the Spanish Data Protection Agency (AEPD), and not every organisation knows what steps to take or in what order.

Read article
28 June 2026

GDPR-compliant CCTV notice: what it must include

Installing cameras without an adequate information notice is one of the most common CCTV infringements sanctioned by Spain's data protection authority, the AEPD. We explain what the notice must include, where to place it, how long images may be retained, and the key differences between cameras in public-facing areas and in the workplace.

Read article
28 June 2026

Functions of the Data Protection Officer (DPO): a complete guide

The Data Protection Officer (DPO) is not a paperwork exercise: the regulation gives this figure genuine independence and clearly defined responsibilities. This guide explains what a DPO does, what they cannot do, and when their designation is mandatory under the GDPR and the Spanish LOPDGDD.

Read article
010203Next →