Yesterday, we celebrated the international data privacy day. This date was set in 2006 by the European Council, and aims at increasing people’s awareness of the importance of privacy and promoting the protection of personal data, a hot topic given the demands posed by the General Data Protection Regulation requirements on those responsible for the processing of personal data, which must be complied with until May 25, 2018.
Is your company prepared for applying the General Data Protection Regulation?
What is the GDPR?
The European Parliament and European Council Regulation (EU) 2016/679—dated April 27, 2016, and related to the protection of private individuals as far the processing of personal data and free movement of said data are concerned (a.k.a. GDPR)—repeals the 95/46/CE Directive and aims at establishing a legal framework for data protection that is consistent across the European Union, as well as adjusted to the speed and novelty of the technological evolution and the challenges it poses as far as the protection of personal data is concerned.
To whom does it apply?
The implementation of the GDPR is mandatory for all natural and legal persons that process personal data pertaining to private individuals within the European Union, regardless of their size. The implementation of the GDPR is thus also mandatory for micro-, mid- and small-sized companies (although they might be exempt from specific obligations), to ensure that all private individuals of all Member States are entitled to the same level of rights susceptible to legal protection, and to enforce identical obligations and responsibilities to both controllers and processors.
When does it become mandatory?
The GDPR is directly applicable to all Member States as of May 25, 2018.
What are the main differences versus the currently applicable legal data protection regimen?
There are several changes to the processing of personal data imposed by the GDPR, and it is especially important to understand the increase of accountability deriving from the elimination of the previous system that required the previous notification/authorisation to the Comissão Nacional de Proteção dos Dados (National Committee for Data Protection) for the processing of personal data. All controllers must be able to actively demonstrate that they are abiding by the GDPR, and the Comissão Nacional de Proteção dos Dados (National Committee for Data Protection) is responsible for monitoring said compliance.
Nevertheless, we are going to summarise other obligations:
i. Reviewing all current policies, as well as technical and organisational measures, to implement a data protection system that ensures adequate data processing, as far safety, privacy and integrity are concerned;
ii. Reviewing the information provided to the data subjects, given that the GDPR is particularly strict when compared to the currently applicable legislation;
iii. Reviewing all internal procedures to allow an effective and speedy exercise of the data subjects’ rights, which have also been expanded;
iv. Preparing to deal with personal data violation cases, not only by reventing, mitigating and identifying the circumstances where these have occurred but also by complying with the obligation to notify the Comissão Nacional de Proteção de Dados and the affected data subjects (in certain circumstances);
v. Analysing whether the appointment of a Data Protection Officer is mandatory (or convenient);
vi. Ensuring that all cross-border data transfers comply with the GDPR.
What are the consequences of non-compliance?
Unlike the currently existing paradigm (pursuant to the legal framework still in force), where some companies would assess the financial risk for non-compliance with the data protection legal regimen and compare it to the reasonably insignificant financial penalties, fines related to the non-implementation of the GDPR may either amount to 20 million EUR or reach 4% of the global annual turnover pertaining to the previous fiscal year, whichever is highest.
TFRA has a specialised team to advise and guide you through your GDPR implementation journey. We’re ready to assist you on this most critical step of your company’s life.