GDPR: questions and answers about the new data protection law

GDPR: questions and answers about the new data protection law

GDPR came into effect on May 25, but there are still some doubts as to the scope of its action. Companies need to be prepared not to run the risk of suffering from the heavy fines that this law provides. We’ve prepared some questions and answers about the new data protection law and hope this article is useful for you!

When is the Data Protection Officer required?

This professional (also known as DPO, Data Protection Officer) plays an essential role in the transition period from the old law to the new legislation. The appointment of a DPO is mandatory in the following cases: (1) whenever the processing of the data takes place in a public entity; (2) where there is constant monitoring of people on a large scale; (3) whenever there is large-scale sensitive data processing.

Who can play the role of Data Protection Officer?

According to the GDPR, the Data Protection Officer (DPO) can be anyone who works in the organization, as long as it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. It is not mandatory that you be a lawyer, but this professional must have in-depth legal knowledge in the area of data protection and experience in this industry. DPO must be able to advise the company’s Management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and in other
Member States. It is important that this professional is able to teach, communicate their ideas and make themselves understood by all employees of the company. DPO needs to know everything about the company, in particular the procedures of each department. DPO is also required to monitor the compliance of the company’s processes with the new GDPR through audits. The regulation allows DPO to carry out functions other than data protection, but it is advised that DPO devotes most (or even all) of its time to data protection and compliance issues.

What is Data Protection Impact Assessment (DPIA)?

According to the European Commission, the Data Privacy Impact Assessment (DPIA) is a process designed to describe private data processing, which assesses the need for processing and helps manage the risks related to the processing of personal data. It is a risk assessment that relates the impact of the achievement of data privacy threats to their likelihood of occurring.

Is it necessary to obtain consent from the data subject in the case of a database with public domain information (eg professional number in the health sector)?

This issue is a paradigm, since the data related to the health sector are sensitive and it is recommended access only to the data strictly necessary for the continuation of the employee’s function. In these situations, in order to maintain the confidentiality and integrity of the data, you are advised to use a data masking tool, such as Datapeers.

What are the key changes to consent by individuals and businesses?

The regulation creates additional barriers to current data collection and processing practices in Portugal by introducing stricter rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation a contact of a business card, for example, cannot be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, the absence of responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.

If I detect a data security breach, who should I notify?

The injured citizen and the National Data Protection Commission.

Is the implied consent through “Terms and Conditions” still allowed in the new Regulation?

No, there has to be explicit consent on the part of the citizens.

Under the GDPR, is encryption mandatory?

Encryption is not required. It is up to the companies to equip themselves with the necessary mechanisms to guarantee the protection and confidentiality of the data.

About the author

Marketing administrator

Leave a Reply