The new general data protection regulation came into effect in May this year and despite all the information that has been generated around this new law, the truth is that many companies still feel lost and have not yet begun to protect their information. For this reason, we have prepared a definitive guide with all the information you need to know to protect your business under the new data protection law!
GDPR aims to align the data protection requirements in the various Member States of the European Union, thus making this issue more coherent. According to an IDC study, data security leads the list of concerns in European companies and this standard helps organizations ensure the protection of their information. Citizens also benefit from this law as they gain greater control over their personal data.
Personal data are all those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union affiliation, and data relating to sexual life or sexual orientation.
The Regulation creates additional barriers to current data collection and processing practices in Portugal and the European Union by introducing stricter rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation a contact of a business card, for example, can not be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, the absence of responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.
The company must ensure that highly sensitive data is encrypted or masked so that there is no risk of loss and the company falls victim to the heavy fines set out in the new regulation. Datapeeers offers a variety of sophisticated scrambling techniques to protect sensitive data, replacing them irreversibly with fictitious but realistic data.
This figure plays an essential role in the transition period from the old law to the new legislation. The person responsible for data protection should ensure that everything is perfectly legal at the date of entry into force of the GDPR. This function is assigned whenever the data processing takes place in a public entity; whenever there is constant monitoring of people on a large scale and whenever there is large-scale sensitive data processing. This professional should train his team, perform audits and be the point of contact with data protection authorities.
The new regulation requires that a DPO be designated if one of these cases occurs:
According to the GDPR, the Data Protection Officer (DPO) can be anyone who works in the organization, as long as it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. It is not mandatory that you be a lawyer, but this professional must have in-depth legal knowledge in the area of data protection and experience in this industry. The DPO must be able to advise the company’s Management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and in other Member States. It is important that this professional is able to teach, communicate their ideas and make themselves understood by all employees of the company. The DPO needs to know everything about the company, in particular the procedures of each department. The DPO is also required to monitor the compliance of the company’s processes with the new GDPR through audits. The regulation allows the DPO to carry out functions other than data protection, but it is advised that the DPO devotes most (or even all) of its time to data protection and compliance issues.
About the author