This article has been written on May the 24th and, therefore, the day before the beginning of application of Regulation (EU) 2016/679, of the European Parliament and of the Council of April the 27th of 2016, named as General Regulation on Data Protection and known by the abbreviation RGPD (in portuguese). The transitional period provided for in the Regulation published in April 2016 thus comes to an end and, here, there seems to be only one certainty: today the doubts are more than many.
The Government's Bill 120 / XIII for the execution, in the domestic legal order, of the GDPR provided, among other things, for a distinction in the amount of fines applicable to a large company, SMEs or natural persons. the non-applicability of fines to public entities for a period of three years, and such non-applicability is subject to reassessment after such period.This bill was not approved by Parliament and it is not foreseeable that we have domestic legislation approved in the coming days. On the other hand, according to information submitted by the Data Protection Commission itself in the Assembly of the Republic, the Commission is facing serious financial problems and, 10 days after the start of the application of the GDPR, it has publicly declared, through its chairman, that it has no means of compliance with the RGPD.
In a study released this week by Jornal de Negócios, conducted on the basis of a survey of 1,500 companies during March and April 2018, only 8% of the companies surveyed state that they are able to comply with the GDPR.
However, in the case of a regulation and not a directive, such as the one it repeals, the GDPR is directly applicable and does not require legislation transposing into the domestic legal order. Added to this, there’s also the so-called 'one-stop-shop' principle created by the RGPD in the case of cross-border treatments, which may affect companies belonging to groups with a principal place of business in other EU countries.
Whether or not it is agreed with the (sometimes excessive) alarmism created around this subject, the fact is that data protection becomes, with the new European legislation, an element to be managed by any company. Moreover, with the RGPD, the burden of proof of compliance is transferred to those responsible for the treatment and the CNPD authorizations disappear and even the authorizations already obtained do not exempt those responsible for complying with the GDPR. The Article 24th of the GDPR provides that <>
We believe, therefore, that the GDPR provides, in essence, the root of a future certification process. Companies that have already made the road to certification according to ISO 27001 will have much of the work done. However, even for these, and for the rest, it is a strategic and management decision to know what measures to take in order to comply with the RGPD and its evidence.
On a positive way of saying, we can not fail to note that, like all the major challenges, the new legal framework for data protection is also a great opportunity, given that data protection is a clear differentiation factor: in the future, the protection afforded to personal data will increasingly constitute a competitive advantage in the global market. It is urgent, therefore, to seize this data protection of the future that is now, which begins tomorrow, May the 25th of 2018.
