Four compliance obligations, one provider: save time, money and duplication
Spanish mid-sized companies — between 50 and 250 employees — face an unprecedented regulatory accumulation. In less than five years, four major compliance frameworks have come into force or intensified simultaneously, affecting virtually any company of this size: the General Data Protection Regulation (GDPR) and the LOPDGDD with their obligations for records of processing activities, Data Protection Officer (DPO) and impact assessments; Ley 10/2010 on the prevention of money laundering for obliged entities in the sector; Ley 2/2023 on whistleblower protection (the Whistleblowing Directive), which requires companies with 50 or more employees to have an operational internal reporting channel in place; and the corporate criminal liability regime under Article 31 bis of the Penal Code (art. 31 bis del Código Penal), which can only exonerate or mitigate criminal liability if the company had an effective crime prevention programme in place before the offence was committed. The problem is that many companies manage these obligations in a fragmented way: one consultancy for GDPR, one law firm for criminal compliance, a technology platform for the whistleblowing channel, and nobody checking whether the four programmes are coherent with each other. This fragmentation generates documentary duplication, contradictory policies, unnecessary costs, and — most critically — invisible compliance gaps. The whistleblowing channel processes personal data and needs its own record of processing activities compliant with GDPR. Criminal compliance requires a channel for reporting irregularities. AML prevention needs internal policies that do not contradict data protection policies. Everything is interconnected.
Data processed in the EU · GDPR · No commitment
Specialised advice and personal service
BMC offers an integrated compliance service for SMEs that brings all four obligations under one provider and a single point of contact. We design the compliance programme as a coherent system in which internal policies, procedures and documentation do not duplicate but complement each other. A single external compliance officer coordinates all four areas, knows the company in depth, and ensures there are no contradictions between the different programmes. The integrated approach not only reduces the total cost of compliance — we estimate savings of 30% to 50% compared with engaging the four services separately from different providers — it also produces a higher-quality compliance programme, because the different elements are designed in a coordinated way from the outset. We also include an annual compliance audit that reviews the status of all programmes and updates documentation in response to regulatory changes.
-
Integrated SME compliance covers three dimensions
criminal (crime prevention programme), GDPR (data protection) and employment (equality, harassment, whistleblowing channel).
-
The whistleblowing channel has been mandatory for companies with 50 or more employees since Ley 2/2023.
-
The equality plan is mandatory for companies with more than 50 employees — without it, the company may be excluded from public contracts.
-
GDPR requires records of processing activities, a privacy policy, data processing agreements with providers, and impact assessments for high-risk processing.
From first contact to case completion
Do you need this service?
Answer three questions and we'll show you the most relevant service for your case.
The problem
Spanish mid-sized companies — between 50 and 250 employees — face an unprecedented regulatory accumulation. In less than five years, four major compliance frameworks have come into force or intensified simultaneously, affecting virtually any company of this size: the General Data Protection Regulation (GDPR) and the LOPDGDD with their obligations for records of processing activities, Data Protection Officer (DPO) and impact assessments; Ley 10/2010 on the prevention of money laundering for obliged entities in the sector; Ley 2/2023 on whistleblower protection (the Whistleblowing Directive), which requires companies with 50 or more employees to have an operational internal reporting channel in place; and the corporate criminal liability regime under Article 31 bis of the Penal Code (art. 31 bis del Código Penal), which can only exonerate or mitigate criminal liability if the company had an effective crime prevention programme in place before the offence was committed. The problem is that many companies manage these obligations in a fragmented way: one consultancy for GDPR, one law firm for criminal compliance, a technology platform for the whistleblowing channel, and nobody checking whether the four programmes are coherent with each other. This fragmentation generates documentary duplication, contradictory policies, unnecessary costs, and — most critically — invisible compliance gaps. The whistleblowing channel processes personal data and needs its own record of processing activities compliant with GDPR. Criminal compliance requires a channel for reporting irregularities. AML prevention needs internal policies that do not contradict data protection policies. Everything is interconnected.
Our solution
BMC offers an integrated compliance service for SMEs that brings all four obligations under one provider and a single point of contact. We design the compliance programme as a coherent system in which internal policies, procedures and documentation do not duplicate but complement each other. A single external compliance officer coordinates all four areas, knows the company in depth, and ensures there are no contradictions between the different programmes. The integrated approach not only reduces the total cost of compliance — we estimate savings of 30% to 50% compared with engaging the four services separately from different providers — it also produces a higher-quality compliance programme, because the different elements are designed in a coordinated way from the outset. We also include an annual compliance audit that reviews the status of all programmes and updates documentation in response to regulatory changes.
How we do it
Multi-disciplinary compliance audit
We begin the engagement with a cross-cutting audit that analyses the current state of compliance across all four areas: GDPR (records, processor agreements, privacy policy, legal bases), AML where applicable, whistleblowing channel and criminal compliance. We deliver a gap report prioritised by risk level and a coordinated action plan.
Design of the integrated programme
We design the compliance programme as a single system: coherent internal policies, a code of ethics that serves as the foundation for all programmes, a staff training system that covers all areas simultaneously, and a documentary structure that avoids duplication. The whistleblowing channel is integrated with criminal compliance and GDPR from the outset.
Coordinated implementation and training
We implement all programmes in a coordinated manner, managing timelines and internal communications. We train staff in a single annual session covering all four areas in an integrated way, with differentiated materials by level of responsibility. We document training attendance for each employee.
External compliance officer and annual audit
We act as the company's external compliance officer: we are the single point of contact for any compliance matter, manage incidents as they arise, and conduct the annual audit that verifies the status of all programmes and updates documentation in response to regulatory or business changes.
We had GDPR with one firm, a recently installed whistleblowing channel with another, and criminal compliance half-finished with our lawyer. BMC unified everything, identified three serious contradictions between our policies that nobody had spotted, and now we have a coherent programme with a single point of contact. Total cost fell by 35% and we sleep much better. (anonymised case)
The regulatory accumulation facing mid-sized companies
Spanish companies with between 50 and 250 employees find themselves at the epicentre of an unprecedented accumulation of regulatory obligations. This is not a single new law to absorb: over the past five years, four major regulatory frameworks have simultaneously come into force or intensified, applying independently yet sharing the same operational space within the company.
GDPR and the LOPDGDD have been in force since 2018, but the AEPD (Spanish Data Protection Authority) has significantly increased its enforcement activity over the past three years. Records of processing activities, processor agreements, impact assessments and privacy policies are not documents written once: they require continuous maintenance.
Ley 2/2023 on whistleblower protection required companies with 50 or more employees to have an operational internal reporting channel in place by 1 December 2023. Companies that do not have one are in active non-compliance, with fines that can reach 1 million euros for the most serious infringements.
The criminal compliance programme under Article 31 bis of the Penal Code (art. 31 bis del Código Penal) is not formally mandatory in the strict sense, but its absence has devastating consequences: if a director or employee commits an offence in the course of their duties for the benefit of the company, the company faces criminal liability unless it can demonstrate that it had an effective and operational crime prevention model in place before the event. The programme cannot be created after the problem has arisen.
AML prevention (prevención del blanqueo de capitales) under Ley 10/2010 applies to entities classified as obliged entities, a category that covers more sectors than many companies realise: real estate agencies, advisory firms, wealth managers and company service providers, among others.
Why fragmentation between providers is the biggest mistake
The typical response of mid-sized companies to the regulatory wave is to engage a different provider for each obligation: a digital consultancy for GDPR, the usual law firm for criminal compliance, a SaaS platform for the whistleblowing channel, and perhaps nobody for AML prevention because they are unsure whether it applies.
This fragmentation generates three critical problems that rarely become visible until an incident occurs.
Documentary contradictions: The whistleblowing channel collects personal data on informants and persons reported. That data requires its own legal basis, its own record of processing activities and its own retention periods. If the channel provider does not communicate with the GDPR DPO, inconsistent policies are almost inevitable.
Invisible gaps: Each provider knows their piece. Nobody reviews the whole. Criminal compliance requires an internal reporting channel to report irregularities to the supervisory body of the model. If the whistleblowing channel was set up by a different provider as a purely employment channel under Ley 2/2023 and is not integrated with the criminal model, there is a gap that nobody has detected.
Unnecessarily high cost: Staff training on GDPR, criminal compliance and the whistleblowing channel can be delivered in an integrated way in a single annual session. With three providers, three separate sessions are delivered with overlapping content that confuses employees.
BMC’s integrated model
BMC’s integrated compliance offering begins with a cross-cutting diagnostic that analyses the current state of compliance across all four areas simultaneously. The result is a single report that prioritises gaps by risk level and proposes a coordinated implementation plan.
The programme is designed as a system: a single code of ethics that serves as the foundation for all programmes, internal policies that cross-reference each other coherently, a whistleblowing channel that simultaneously meets the requirements of Ley 2/2023 and the needs of the criminal model, and an annual training structure that covers all areas in a single session differentiated by level of responsibility.
BMC acts as the company’s external compliance officer: we are the single point of contact for any compliance matter, manage incidents as they arise (data breach, received report, regulatory inspection, preliminary criminal investigation), and conduct the annual audit of all programmes.
The economic case for unified compliance
Engaging GDPR with a specialist consultancy, criminal compliance with a criminal law firm, the whistleblowing channel with a technology platform and AML prevention with an independent adviser can amount to a total annual cost of between 15,000 and 30,000 euros for a company of 100 employees, not counting training duplication and the internal management time required to coordinate four providers.
BMC’s integrated compliance service for a company of equivalent size ranges from 8,000 to 15,000 euros per year (including initial implementation in the first year), with a single point of contact, a coherent programme, and an annual audit included. The difference is not only economic: it is also the difference between having a compliance programme that functions as a system and having four documents that nobody has read in their entirety.
Corporate criminal liability: what Article 31 bis of the Penal Code requires
The regime of criminal liability of legal persons, introduced in Spain with the Penal Code reform of 2010 and extended in 2015, establishes that a company may be held criminally liable for certain offences committed by its directors or employees for the company’s benefit. Consequences include fines of up to twice the benefit obtained, dissolution of the company, disqualification from contracting with the public sector, and closure of establishments.
Article 31 bis of the Penal Code establishes two circumstances that can fully exonerate the company from criminal liability: that the offence was committed by fraudulently circumventing the model’s controls, or that the prevention model was designed and implemented in a manner adequate and sufficient to prevent the type of offence committed. But the model must exist and be operational before the criminal act occurs. Creating the criminal compliance programme after a problem has arisen is legally irrelevant to that case.
The criminal compliance programme under Article 31 bis must include, as a minimum: identification of offences that could be committed within the company’s activities (criminal risk map), protocols and controls for each risk category, a channel for reporting irregularities accessible to employees and third parties, a supervisory body with sufficient autonomy to oversee the programme, and a system for staff training and communication.
The whistleblowing channel as a cross-cutting obligation
Ley 2/2023, of 20 February, on the protection of persons reporting regulatory infringements and combating corruption — transposing Directive (EU) 2019/1937 (the Whistleblowing Directive) — requires companies with 50 or more employees to have an internal reporting system (canal de denuncias) in place, with guarantees of confidentiality and informant protection.
The channel is not merely an anonymous email inbox: the law requires that the system guarantee the confidentiality of the informant’s identity, that there be a communications manager adhering to the established deadlines (acknowledgement of receipt within 7 days, resolution within 3 months), that persons under investigation have basic procedural guarantees, and that the entire process be compatible with GDPR (with legal basis, retention periods and restricted access).
Sanctions for failing to implement the channel can reach 1 million euros for the most serious infringements (retaliation against informants), and between 100,001 and 600,000 euros for failure to implement the system or serious non-compliance. The regulation also expressly prohibits employment retaliation against those who use the channel, with the burden of proof reversed in the informant’s favour.
Data protection as a cross-cutting pillar of compliance
GDPR is not simply a privacy formality: it permeates all other compliance programmes. The whistleblowing channel processes sensitive personal data requiring a specific legal basis (legitimate public interest, Article 6.1.e GDPR), limited retention periods and enhanced security measures. The criminal programme identifies natural persons in risk maps and internal investigations. AML prevention collects and retains client identification data for ten years.
An integrated compliance programme resolves these interactions by design: it defines the legal bases for each processing activity, establishes retention periods consistent with the legal obligations of each programme, and ensures that the Data Protection Officer (or data protection adviser) is informed of any process changes affecting the processing of personal data. Without this coordination, a company may be complying with Ley 2/2023 while simultaneously breaching GDPR in the same process, or retaining compliance file data beyond the period permitted under data protection regulation.
Frequently asked questions
Related services
Speak with a specialist
Complimentary first call. No commitment. Response within 1 hour during office hours.
4.8/5 · Data processed in the EU · GDPR · No commitment