Data protection: from regulation to corporate culture

Personal data protection has become an essential pillar of regulatory compliance and contemporary business strategy. It is not just a matter of avoiding penalties, but also of ensuring the trust of customers and suppliers, safeguarding corporate reputation and ensuring business continuity. The risk is clear: in 2024, the Spanish Data Protection Agency (AEPD) received 2,933 notifications of security breaches – an increase of 46% compared to 2023 – and imposed fines running into millions in proceedings related to non-compliance with regulations.

Given this scenario, it is essential to have a solid and structured regulatory framework for compliance that goes beyond contractual clauses or legal notices published on a website. This minimalist approach creates a false sense of security that can have serious consequences. True compliance requires a comprehensive set of technical, organisational and legal measures, ranging from in-house action protocols and records of processing activities to the proper formalisation of data processing agreements. All of this must be developed within the framework of the principle of accountability, which requires organisations not only to comply, but also to demonstrate such compliance in a reliable manner.

Compliance with this principle emphasises the actual and effective implementation of measures rather than the achievement of an absolute result. This has been established by the Supreme Court in its judgment STS 543/2022, stating that ‘data protection measures are an obligation of means and not of results’. This implies that the responsibility of organisations is not measured by the total absence of incidents, but by their ability to prove that they have sufficient, adequate and proportionate means to prevent and manage them diligently.

This criterion has already been applied in practice in procedure E/5175/2020, in which the AEPD assessed the immediate detection of a security breach, its diligent notification and the adoption of corrective measures, together with the prior existence of reasonable technical and organisational measures to minimise risks of this nature. The combination of prevention and proportionate reaction led to the procedure being closed.

In short, data protection cannot be approached in a partial or formalistic manner. It is a comprehensive commitment that requires adequate resources, effective procedures and constant updating in the face of a constantly evolving regulatory framework. Only in this way can a solid position before the supervisory authority, customer confidence and the sustainability of business activity be guaranteed.

The adoption of a comprehensive and consistent compliance framework, based on the principle of proactive responsibility, transcends mere legal obligation: it is a strategic imperative. Only those organisations that incorporate data protection into their corporate culture will be in a position to mitigate risks, safeguard their reputation and consolidate the trust necessary to compete robustly in today’s digital environment.