A recent study showed that only 2.5% of Portuguese organizations considered themselves prepared for the General Data Protection Regulation (GDPR).
Daniel Reis, from PLMJ, points out some of the priorities in an interview with SAPO Tek. Contrary to what many companies and organizations think, the 25th of May 2018 is not the entry date of the GDPR, but the date for its enforcement. The regulation is already in force and the last years have been considered as a period of adaptation, although there are still some issues to be defined in several countries, including Portugal.
From the next 25th of May the way the data is managed in organizations can be controlled, and in case of default, it is from this date that can be applied the millionaire fines that have scared half the world. 4% of the billing volume, up to a maximum of 20 million euros is a number that really scares.
“The maturity of the Portuguese companies for the protection of personal data is very low. Most companies and public sector entities in Portugal are behind schedule. There are many organizations that have not yet started preparing for the Regulation” said Daniel Reis, Managing Partner of TMT’s PLMJ team. The law firm has been working with companies and public sector entities in their preparation, training, auditing, creating compliance programs, forming DPOs, creating and implementing policies and procedures, and for this reason Daniel Reis has a clear vision of weaknesses and difficulties in this area.
In an interview with SAPO TEK, the lawyer stresses that it is fundamental that organizations survey the current reality, identifying the data treatments that are performed, perceiving where the data is, where it’s coming from, what the disclosures are, but also identifying the suppliers who have access to the data, reviewing the conditions of physical and computer security, and the documents that serve as a basis for the collection of data.
Any organization that deals with personal data has to adapt to the new rules, if they have not started, they will have to start as soon as possible. With a short time to prepare, companies face some challenges. And it’s not just technological.
Daniel Reis points out the need to create a horizontal vision within organizations, even because organizations are organized by vertical silos (human resources, marketing, computing, etc.), but there are personal data treatments in all areas.
The combination of legal, technological and operational valences is another of the relevant issues. “How to combine these valences is not evident, especially in smaller companies,” he explains.
Although there are still some areas that need regulation, which should be done through a bill that the Government is preparing, this should not prevent companies from starting – or advancing – in their compliance processes.
“It is expected that the inspection activity will begin right at the beginning of the application of the Regulation”, Daniel Reis explains to SAPO TEK. “However, not all companies will be monitored at the same time. The CNPD (like any other regulatory authority) will have to make choices, “he admits.
The values of the fines are one of the most relevant matters and Daniel Reis believes that they can also reach high values in Portugal too. “The values depend on the concrete case. Aspects such as the number of people affected, the data in question, the degree of fault, among others will be relevant to the determination of the fine measure, “he details.
In the end, citizens are the ones that benefits. “The system of self-regulation created by the Regulation, coupled with the value of sanctions, will force organizations to change how they approach the issue. Citizens see their rights reinforced and they will have at their disposal more efficient mechanisms to claim and demand the fulfillment of their rights “, recalls the partner and coordinator of PLMJ’s TMT team.
Source: Fátima Caçador – tek.sapo.pt