General Data Protection Regulation (GDPR)
In view of the enormous practical relevance of this subject and considering that companies should be prepared for the new Data Protection Regulation, which was applied directly in the Member States of the European Union, including Portugal, in May 25, 2018, introducing a particularly demanding legal discipline in this matter, we believe that it is of the greatest convenience and usefulness to prepare a set of informative notes that allow to deepen the knowledge of this theme by all in simple and accessible language.
With this purpose in mind, we published measures and potential corrections to be implemented in the current business procedures, according to the European Regulation itself, which promises to raise awareness of the importance of personal data protection in the world of business and of citizens (in their various qualities of consumers, users, workers, patients).
Information to data subjects
The regulation obliges to inform about the legal basis for the data treatment, period of conservation of the same and transfer of the same. All privacy policies and texts that provide information to data subjects need to be reviewed.
Exercise of the rights of data subjects
The Regulation requires the rights of data subjects to be exercised. In this way, requests to exercise this right will be monitored and documented with maximum response deadlines, the right to data portability, the elimination of data and the notification of third parties regarding the rectification or erasure or limitation of treatment requested by the holders.
Consent of data subjects
The regulation obliges to control the circumstances in which the consent of the holders was obtained when this is a legal basis for the processing of personal data. There are a set of requirements to obtain this consent, and its non-compliance requires the obtaining of a new consent.
Nature of the data
The regulation defines the concept of sensitive data which is subject to specific conditions for its treatment, in particular, automated rights and decisions. An example of sensitive data will be the biometric data. Depending on the size and context of the data processing, it may be mandatory to appoint a Data Protection Officer. If it is not in the company’s interest to hire or appoint this new element, our Data Protection team can also be the solution.
Documentation and registration
The regulation requires a documented record of all personal data processing activities. Organizations are required to demonstrate compliance with all requirements arising from the application of the Regulation.
The Regulation requires the subcontractor to ensure that it holds all the authorizations of data controllers. Subcontracting contracts will have to be reviewed to include a vast set of information to protect information from data holders that are often handled by several entities without the respective owners knowing.
Data Protection Officer (DPO)
The regulation introduces the figure of the Data Protection Officer who will have a role of controller of the security processes to guarantee the protection of data in the day to day of the company. Although it is not mandatory for all companies, the existence of the same or an external service guaranteeing this function can add much value to the processes of fulfilling the obligations.
Data Processing and Security Processes
The regulation requires a great deal of control of the risk associated with the possible theft of information. This risk control should be ensured by effective security measures that ensure confidentiality, data integrity and prevent accidental, unlawful destruction, loss, and alteration or unauthorized disclosure/access of data.
Protection of data from conception
The regulation stresses the need to evaluate future data processing projects in good time and promptly to be able to assess their impact on data protection and take appropriate measures to mitigate those risks.
Notification of security breaches
The Regulation requires that all security breaches that result in a risk to the rights of rightholders be communicated to the supervisory authority as well as to the data subjects.
The Regulation establishes a uniform application framework based on two categories (depending on the severity):
In less severe cases, the fine may be worth up to EUR 10 million or 2% of the annual worldwide turnover, whichever is the higher.
In the most severe cases, the fine may be up to EUR 20 million or 4% of the annual worldwide turnover, whichever is the higher.
Our experienced designers & developers can help.
In person, small teams, focused sprints. 5 years & 50+ successful clients.