“Data protection should be a mandatory subject in schools"

QUESTION: It will be six months since GDPR was fully rolled-out. How would you rate the regulation's first half-year in force?

ANSWER: I'd give it a positive appraisal. There is greater awareness among the general public about the protection of personal data as a fundamental right, but there are also improvements to be made. For example, the Spanish Data Protection Agency has received a lot of notifications about security breaches, which pursuant to GDPR should not have been the case. In short, its enforcement needs to be refined.

Q: How does BBVA go about putting in place all the changes required by a law that changes so many things?

R: The standards are already implemented at BBVA. The thing is there is no end date. It’s an ongoing, living process because new products and services constantly pop up and need to be aligned with GDPR, and we include other avenues where personal data is handled, such as with suppliers and employees. Indeed, this is a huge organization. The effort has been immense, and its success is down to the participation of all the teams involved. They have been the key to making our compliance possible.

There is greater awareness among the general public about the protection of personal data as a fundamental right, but there are also improvements to be made

Q: Have you had to undertake much work for GDPR-related training?

R: Yes, it is one of the responsibilities of the of DPO, the Data Protection Officer. We sent notifications directly to customers from our branches; we took on the organization of departmental training activities for employees, in addition to developing a mandatory online course for all BBVA personnel. And we have more initiatives planned.

Q: How did you communicate the new regulation to customers?

R: Information was sent to a large percentage of customers in January — taking advantage of our “duty to inform” as established by GDPR. We were the first bank and one of the first companies in Spain to communicate with our customers about the new regulation. Communication was conducted in a number of ways: those customers that use our digital channels were informed online; for other customers, we used other means: the bank's branches, mail, and even at the ATMs. The communication led our customers to ask a lot of questions because not everyone was aware of the new legislation. They were able to contact us through a special mailbox we made available to them. And we answered all their questions. In doing so, BBVA set a high bar for the rest of the market when it came to taking the steps required to adopt GDPR. Later, everyone who had to comply with the legislation looked at how we had managed it and tried to do what we had done.

BBVA set a high bar for the rest of the market when it came to taking the steps required to adopt GDPR. Later, everyone who had to comply with the legislation looked at how we had managed it

Q: You are BBVA's DPO. Can you explain what this role entails?

R: The Data Protection Officer is a role that is mandated by the EU's new legislation. It is a mandatory position in certain types of companies, as well as in public organizations or bodies. Each company has to perform their own analysis of the criteria established by GDPR to determine if the obligation to appoint a DPO applies to them or not. Then they have to issue a report that should be kept on file and be available to the data protection authorities.

In the case of banks, major financial institutions, insurance companies, there was no doubt that it was mandatory. This is how it works throughout the European Union. So, it was obvious that BBVA needed a DPO. The data protection officer role functions as the company's internal custodian of data protection,  the individual who ensures that this fundamental right is embraced by the organization and that it is accounted for with each new product or service and in every instance when the company handles personal data. It is a huge task, but fortunately, I have a fantastic team. Beyond a shadow of a doubt, our success lies with them.

Q: So, for example, if a customer has a question or problem related with data protection at BBVA, he or she can contact you?

R: Of course. A customer, an employee, a supplier, a shareholder. Even someone who isn’t a BBVA customer but has a concern is entitled to contact the DPO.

A customer, an employee, a supplier, a shareholder. Even someone who isn’t a BBVA customer but has a concern is entitled to contact the DPO

Q: GDPR is legislation, which means that it is mandatory throughout Europe. Is it administered differently in Spain compared to the rest of Europe?

R: By definition, legislation must be applied consistently, using the same text and adhering to the same timelines in all European Union countries. As compared to a directive, which requires what the EU calls “national transposition”-- essentially adapting and incorporating the directive into national law. In the case of GDPR, it does not require national transposition, but it does need an addendum to be integrated into each member country’s legal framework, and this is done through a national law. So, there will be a new law in Spain -- the Data Protection Law (Ley Orgánica de Protección de Datos or LOPD) -- which will accommodate GDPR within the Spanish legal framework.

Q: And is the new national law ready yet?

R: We think it will be approved shortly and will include a new section on digital rights.

Q: With respect to other regions of the world, GDPR is a unique legal framework. Do you think it's sufficient to address the challenges facing the digital economy? Could we see cases like the Facebook scandal repeated in the European Union?

R: We had had laws before, but they needed to be updated. As a result, we received GDPR, which promises to be around for a long time. Still, on its own, it's not enough. We’re expecting e-Privacy, another regulation that will assist and complement the GDPR legislation. Self-regulation is also required: codes of conduct and best practice. It is essential for us to be aware of its importance. For example, at BBVA we advocated for a banking code of conduct.

Q: Would it be right to say that an advantage of GDPR is that it unifies the approach to data protection across Europe?

R: That is its primary purpose: legal harmonization, avoiding the scattered approach we had had previously. GDPR's “predecessor” was a directive that was adapted into 28 national standards that didn't have much to do with each other.

Q: There are those who believe that it puts Europe at a competitive disadvantage in some sectors such as artificial intelligence. Do you share this opinion?

R: No, I don't think that’s true. Artificial Intelligence isn't limited to personal data, it's tied to heaps of other kinds of data and even works with anonymized data. Hence, GDPR does not put Europe at a competitive disadvantage.

Q: Do you think GDPR could be adopted by other countries like the U.S.? Could we say that as Europeans we have better protected data than Americans?

R: Precisely. With GDPR, Europeans’ data is better protected than the data of U.S. citizens.  In Europe data protection is more important. In the U.S. they have a different concept: they lean toward the protection of privacy, what they call “data privacy” instead of focusing on data protection.

With GDPR, Europeans’ data is better protected than the data of U.S. citizens

Q: What’s the difference?

R: The ideas are closely related, but they are not exactly the same. Privacy is more linked to authorized access to data, whereas data protection to protect against unauthorized access. The protection of personal data in the U.S. is not a fundamental right, because business, the market, takes priority.  However, the bar GDPR has set for Europe also impacts the rest of the world. If they want to do business here, they have to to comply with our standard. It's the contagion effect in action. Not only in Latin America, but also in the United States. Not very long ago, California approved a privacy law that has many things in common with GDPR. In the last annual meeting of data protection authorities in Brussels, at least two of the big American tech giants, Apple and Facebook, made a case for federal level legislation similar to GDPR.

Q: Does this request make sense?

R: When it comes to data protection, large companies operate in accordance to our standards. So, if they can comply with the regulation here, they should be able to comply with it in other regions. A global, standardized GDPR law makes sense.

Q: If we look at GDPR at the level of the consumer’s real day-to-day life, what is its impact?

R: When the change of legislation was communicated to consumers, they received a deluge of emails. At the time, it was perceived as spam. On the other hand, at BBVA we managed to make inroads with our customers by communicating the change as far back as January. We had the effect we were looking for: informative and educational. It’s a fact that little by little we’re seeing a greater sense of awareness from the public about this issue. GDPR empowers people to be aware about their data rights and decide what they want to do with them.

Q: It forces companies to be more transparent when the customer is accepting service conditions.

R: It makes the language clearer so the consumer is more aware of what he or she is accepting and avoids bulk consents. Customers should be able to give consent at a granular level  – without losing any of the product or service benefits — so that their data can't be used for purposes they didn’t agree to.

Q: And how has it impacted companies? Has it changed the way they collect, handle, or share data with third parties?

R: There’s more significant liability, to make sure companies are behaving correctly. The handling of personal data occurs in practically every single company process; consequently, businesses have had to review all their processes to be sure those that involve personal data have been appropriately adapted.

Q: In general, do you think data is better protected now than it was before?

R: Yes, I do. GDPR was adopted to improve on the rights that were addressed in previous regulation, to broaden the scope, and to force companies to be more protective and transparent when handling personal data.

Q: Do you think the general population is sufficiently concerned about protecting their data?

R: It is true that in this aspect, we're missing a trick; the educational element is incredibly important. You see two scenarios: people who are aware of their rights and others who ignore them completely. We need to be aware of how important it is to protect our data. Then we have young people who are used to putting their lives on display on social media. In many cases they are not aware of the ramifications this might have.

We need to be aware of how important it is to protect our data. Then we have young people who are used to putting their lives on display on social media

Q: That's what I was going to ask: how can you make people aware? At BBVA we are taking the steps to educate consumers, but not all businesses are doing the same.

R: I think it’s a much wider task. Because data protection is a fundamental right, it concerns everyone, so it’s not a challenge purely for business. The public sector needs to be involved. Data protection should be a mandatory subject in schools. APEP, the Spanish Professional Association of Privacy, has lobbied for privacy issues to be formally included in educational and training curriculum.  Up to now, it's not been successful, but they have been able to promote some training activities in elementary and high schools.