Undoubtedly, the GDPR was the major security issue in 2018. The new legislation brought new ways of dealing with data and brought many questions to businesses. The new law has been applied to ensure greater privacy of personal data of citizens of the European Union, especially online. But after 8 months, what has really changed in companies with the arrival of GDPR?
A data protection law should not be required for companies to look at security as a priority, but the truth is that many companies didn’t look seriously at data protection. After the arrival of the new legislation, and much because of the large fines for non-compliance with the law, companies came to view security as a strategic factor for the company’s performance.
This new Data Protection Officer figure (also known as DPO) plays a key role in the transition period from the old law to the new legislation. The appointment of a DPO is mandatory in the following cases: (1) whenever the processing of the data takes place in a public entity; (2) where there is constant monitoring of people on a large scale; (3) whenever there is large-scale sensitive data processing. Many companies, due to the requirements of the legislation, had to appoint this figure who was responsible for all matters related to the processing of personal data. According to the GDPR, the Data Protection Officer (DPO) can be anyone who works in the organization, as long as it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. It is not mandatory that you be a lawyer, but this professional must have in-depth legal knowledge in the area of data protection and experience in this industry. The DPO must be able to advise the company’s Management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and in other Member States. It is important that this professional has the ability to teach, communicate their ideas and make themselves understood by all employees of the company. The DPO needs to know everything about the company, in particular the procedures of each department. The DPO is also required to monitor the compliance of the company’s processes with the new RGPD through audits. The regulation allows the DPO to carry out functions other than data protection, but it is advised that the DPO devotes most (or even all) of its time to data protection and compliance issues.
The Regulation created additional barriers to current data collection and processing practices in Portugal and the European Union, introducing more stringent rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation a contact of a business card, for example, can not be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, the absence of responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.
If there is a data leak or if someone can enter the system, the organization is obliged to immediately notify the injured citizen and the National Data Protection Commission.