The new era of data protection in Europe has already begun. The new general data protection regulation entered into force in May of this year and over the past few months there have been many complaints received by the ANPD regarding failures to comply with the law. The Hospital of Barreiro in Portugal was the first organism to be fined due to legal infractions. But what is the real impact that GDPR will have on corporate security?
Changes in the collection and processing of personal data by companies
The Regulation creates additional barriers to current data collection and processing practices in Portugal and the European Union by introducing stricter rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation a contact of a business card, for example, can not be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, the absence of responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.
Protection of the most sensitive data is mandatory
The company must ensure that highly sensitive data is encrypted or masked so that there is no risk of loss and the company falls victim to the heavy fines set out in the new regulation. Datapeeers offers a variety of sophisticated scrambling techniques to protect sensitive data, replacing them irreversibly with fictitious but realistic data.
Data Protection Officer required in certain situations
This professional (also known as DPO, Data Protection Officer) plays an essential role in the transition period from the old law to the new legislation. The appointment of a DPO is mandatory in the following cases: (1) whenever the processing of the data takes place in a public entity; (2) where there is constant monitoring of people on a large scale; (3) whenever there is large-scale sensitive data processing.
Who can play the role of Data Protection Officer?
According to the GDPR, the Data Protection Officer (DPO) can be anyone who works in the organization, as long as it meets certain conditions. The DPO needs to have expertise in the field of law and data protection practices. It is not mandatory that you be a lawyer, but this professional must have in-depth legal knowledge in the area of data protection and experience in this industry. DPO must be able to advise the company’s Management and its employees on the obligations of the Regulation as well as other data protection provisions in force in the EU and in other
Member States. It is important that this professional is able to teach, communicate their ideas and make themselves understood by all employees of the company. DPO needs to know everything about the company, in particular the procedures of each department. DPO is also required to monitor the compliance of the company’s processes with the new GDPR through audits. The regulation allows DPO to carry out functions other than data protection, but it is advised that DPO devotes most (or even all) of its time to data protection and compliance issues.