Ready for the new Data Protection rules?

It is already on May 25th that the new General Data Protection Regulation (GDPR) comes into force. What changes? How will it affect your company? Find out everything you should consider and what you have to do to comply with the new rules.

What is the new GDPR?

The new General Data Protection Regulation is the new law that changes the way companies, both public and private, treat the personal data of clients, collaborators, users and partners. In the case of Portugal, it replaces the current Data Protection Law (Law 69/98), but its mandatory application extends to the entire community area.

Collection of data only with express consent of the holder

The new regulation aims to reinforce the rights of data subjects by guaranteeing them the possibility of accessing and reviewing their data, data portability, as well as exercising the designated right to privacy. What does this mean for you and your company? Firstly, you will have to store the information in such a way that it is easy to read for those who consult it, in a format that allows its rapid transfer to another company, also documenting all the entities to which these same data are provided. Secondly, you will have to be prepared to delete the personal data of any citizen who demands it. It should be noted that it will have to provide documentary proof that it has proceeded in compliance within the legal deadlines established in the new regulation.

With the new regulation, in order for your company to be able to process the data of individuals , you will have to obtain their express consent. You should know that in Portugal the minimum legal age for minors to be able to authorize, by themselves, the processing of their data in social networks and other online services is 13 years old.

This measure works with retroactive effects, which means that on May 25 your company must have verified the existing consents and the conditions under which they were obtained in order to certify that they comply with the new regulation. If this consent has not been granted in accordance with the new rules, you must obtain new consent, under penalty of being considered unlawful.

Moreover, from now on, all data processing must be properly documented. It should be noted that the new rules define special categories of data, such as genetic, biometric, health, ethnicity, political opinions, religious or philosophical convictions, union affiliation, or sexual orientation data, the processing of which by companies or organizations is prohibited except for the exemptions identified in the regulation.

Which companies have to appoint a Data Protection Officer?

One of the most talked about novelties is the obligation to create a new figure, the Data Protection Officer (DPO), in all public companies, companies whose main activity is the processing of sensitive data on a large scale and companies that perform “regular and systematic control” of data subjects. If your company does not fall into any of these three categories, having a DPO is at your discretion, but in reality, the ideal is that there is someone responsible for ensuring that the new data protection regulations are complied with and that they raise awareness and train all employees on the new ways of acting in relation to personal data.

All these measures also aim to ensure that companies have greater control and responsibility over the processes of processing personal data in order to increase the security of their storage and processing. If you identify any situation of compromise or violation of data in your company, you are obliged to notify the responsible national authority, in the case of Portugal the National Commission for Data Protection (CNPD).

What happens to your company if you do not comply with the new Data Protection Regulation?

If your company is identified as being in non-compliance it is subject to financial penalties and the amounts can be very high. The penalties vary according to the size of the companies and the seriousness of the violation. In the case of minor violations, bribes can reach 10 million euros or 2% of the worldwide turnover of the group in which the company operates, and in more serious cases, they can amount to 4% of the global annual turnover or 20 million euros.

You only have until May 25 to put into practice all the regulations, so hurry and get well informed!