While bringing unquestionable benefits into our lives, fast-evolving technological development also has a downside, which is the more significant risk of invading people’s privacy.
Information, often including personal data (and data derivative analytics), is a powerful tool for the development of business strategies though it involves the need for organisations to consider the new paradigms of relevancy, adequacy and the actual cost-benefits of processing personal data. Increased awareness of the importance of data privacy and new regulatory frameworks imposing strict criteria for data compliance on businesses has raised concerns.
The data protection challenges created by innovation led to the review of legal frameworks for personal data protection. In Portugal, the first legal framework dates back to 1998 and was laid down in Law 67/98 of 26 October.
The legislative changes recently introduced through the EU Regulation 2016/679 of 27 April 2016 (‘General Data Privacy Regulation’ or simply ‘GDPR’) will come into force on 25 May 2018.
The entering into force of the new GDPR in a standardised manner in all European Union countries sets a new paradigm for the regulatory approach to privacy protection and for compliance, meaning companies and organisations will have to adapt their information systems and internal policies and procedures to this new context.
The GDPR strengthens and deepens the rights and protection of data subjects, and replaces the current system of prior notification to data privacy authorities with an accountability principle applied to all entities that process personal data. Organisations will have to demonstrate their full compliance with the GDPR requirements in its multiple aspects. This shifting into a different “accountability system” forces organisations to have all their activities involving the processing of personal data mapped, documented and systematically reviewed from a compliance/risk perspective, and ultimately reflected in governance policies and standards that make data privacy assurance part of the company’s mission of modern corporations.
Attaining GDPR compliance standards is possible for all organisations, but it requires the ability to change the company’s management practices, and most importantly in peoples’ mindset. GDPR awareness, assessment and compliance is not just a legal matter. It is, rather, a matter of ‘corporate maturity’ for organisations that care and improve the organisation’s reputation and its levels of trustworthiness in the communities where they operate.
There’s not much time until May 2018. Organisations that have not yet started their GDPR activities have now little time to move forward. Time is of critical importance, especially considering the complexity involved.
GDPR’s multidisciplinary approach entails a functional, technological and legal approach that encompasses steps involving discovery, assessment and design.
This broad vision will force companies to look at their internal workings and accept the possible need to improve their governance models, policies, procedures and/or ways of doing business with their stakeholders.
The continuing assessment of compliance will be fundamental, not only in order for companies to prevent fines from authorities – which have been increased up to a maximum of 4 per cent of total global turnover – but more importantly, to keep pace with the future of modern society.
Lastly, it is noteworthy that the values of reputation and trust were never as important as they are now. The new GDPR forces organisations to strengthen their ties with clients, employees, suppliers and other relevant stakeholders.
Rita Roque de Pinho is of counsel at Pbbr. She can be contacted at firstname.lastname@example.org
Carina Branco is senior tech & IT counsel at Techlawyers. She can be contacted at email@example.com