AEPD launches new version of its Manage GDPR tool

(23 May 2024). The Spanish Data Protection Agency (AEPD) has launched a new version of Gestiona RGPD / Manage GDPR, a tool that helps manage personal data processing, assess and manage risks through a catalogue of privacy measures and, if necessary, assist in carrying out impact assessments. Gestiona3 GDPR targets controllers and processors as well as data protection officers. The new version expands the catalogue of applicable privacy measures to mitigate the risks identified in the processing and includes improvements in the editing of final reports, among other possibilities.

The General Data Protection Regulation (GDPR) provides that organisations processing personal data must keep a Register of Activities (RAT) and identify and manage the risks such processing may have for the rights and freedoms of the individuals whose data is being processed. The objective is to select and implement appropriate measures to minimise each risk identified. At the same time, where that analysis reveals that there is a high risk to the protection of individuals, the GDPR provides that those organisations must carry out a data protection impact assessment (DPIA).

Manage GDPR allows managing the register of processing activities of an organisation, with up to 500 treatments in an integrated way, as well as different entities. It includes functions to identify risk factors for the rights and freedoms of individuals and to make a first intrinsic risk assessment. These functions make it possible to manage the risk with privacy measures that the tool itself suggests for each identified risk factor, as well as measures for managing personal data and security gaps, and organisational measures and data protection policies.

The new version of Gestiona moved from over 500 measures to almost 800 measures classified according to the risk factors previously identified by the institution, including also aspects such as governance, security and data gaps. Thus, the selection of risk factors and measures to mitigate them constitute a broad starting point for the risk identification and management processes that are necessary to comply with the risk approach set out in the GDPR. Furthermore, Gestiona is a useful tool for organisations that need to start carrying out personal data protection impact assessments when, from the risk analysis carried out, it appears that processing may pose a high risk to the rights and freedoms of the individuals whose data are processed.

The processing is managed on the user’s device via his browser, without installing any kind of application, storing the information locally, allowing to manage the data of different controllers and without transmitting information to the Agency, or to third parties, ensuring confidentiality. The information can be stored in a file on the user’s computer and retrieved after each session, allowing different versions. The new version includes improvements in the editing of the reports produced by the tool when the process is completed. In addition, the Agency has carried out an analysis of the queries raised by controllers and included responses to all of them in a new user guide that includes issues related to the scope of the tool, storage and storage of processed information or measures to mitigate the identified risk factors.

Manages GDPR is part of the catalogue of tools offered by the Agency to help organisations comply with their obligations. These tools include Facilita RGPD, Facilita Emprende, Evalúa-Riesgo RGPD, Comunica-Brecha RGPD, Asesora Brecha and ValidaCripto RGPD, as well as technical notes and guides addressing specific aspects.