Data protection in 2026: new obligations for businesses and SMEs
The protection of personal data remains one of the most legally significant areas in the business world.
In 2026, supervisory authorities have stepped up their oversight of small and medium-sized enterprises, particularly in the digital sphere.
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) set out clear obligations regarding the processing of personal data.
Among the main areas of risk identified are the inappropriate use of cookies without valid consent (according to the AEPD’s Cookie Guide), the failure to update privacy policies, and the absence of data processing agreements with suppliers.
Furthermore, Article 32 of the GDPR requires the implementation of appropriate technical and organisational measures to ensure data security, including encryption, access control and protocols for dealing with security breaches.
Fines can reach up to €20 million or 4% of global annual turnover, which poses a significant risk even for small businesses.
It is therefore recommended that organisations carry out regular data protection audits, keep the legal notices on their websites up to date, train staff and seek specialist legal advice to ensure regulatory compliance.
Proper management of personal data not only avoids penalties but also strengthens the trust of customers and users, providing a competitive advantage in today’s market.
| Regl UE 2016 679 Tratamiento Datos Personales | 1001 KB |
