The RGPD came into force on 25 May 2018 and since then, in Portugal, 131 fines have already been imposed.
The GDPR (General Data Protection Regulation) is an EU regulation (no. 2016/679 of 27 April 2016), adopted by the Parliament and the Council, which is one of the main tools of digital Europe. It basically consists of the processing, by an organisation or natural person, of the personal data of other individuals. It applies essentially to professional, commercial, financial, cultural or social activities, both collective and public in nature.
Personal data is considered to be all information relating to a person, endowed with rights and duties, identified through direct or indirect reference, with telephone contact or any other data that crosses and that concerns the individual.
The processing of these personal data, based on any operation that affects them, must have a concrete and legal purpose, respecting the professional activity of those who manage them. A concrete example of this data processing is databases such as customer files or supplier lists.
The GDPR must be taken into account by any person or entity, public or private, primarily acting and residing in the EU. For it to be fully followed, organizations or individuals must adopt privacy and information security policies; assess the impact of data protection; obtain consent not only for the processing but also for the collection of data from data subjects; make and keep records; guarantee rights of access; delete or object to these actions; notify accidents; ensure good security practices.
With only 4 years of existence, the RGPD respects the European path highlighted by the European Commission, of a “European path for the Digital Decade”. The goal, according to the renowned institution is to “pursue digital policies that empower people and businesses to consolidate a more prosperous, human-centred and sustainable digital future“.
The European path for digital development has been followed with new legislation that includes standards such as ensuring citizens’ and consumers’ trust, privacy and cybersecurity, ensuring a free but safe flow of information and opinion. In short, a people-centred system.
Although this regulation is not strictly European, in Europe it comprises a wide range of measures aimed at protecting individuals on the path towards a stronger, safer and more inclusive European digital future. Furthermore, it is integrated in specific European policies, with particular relevance to the nature of personal data, such as telecommunications, public health, artificial intelligence, transport, energy, competition (competition authorities should cooperate to this end, at the intersection of competences), electoral contexts or law enforcement.
In recent times, there has been an increase in the number of infringements and fines awarded, and it is therefore important to strengthen prevention. As such, it is advisable that entities ensure that the data collected and processed is, in fact, necessary to achieve legitimate and well-defined objectives; ensure that individuals remain the owners of their own data, with full transparency on its use; ensure the physical or computer security of the data; know, identify and prevent risks; regularly verify compliance of existing measures, procedures and circuits with the rules of the GDPR, among other measures.
In its fourth year of application, and in force since 2016, there is still a long way to go to avoid increasing fines in the process of violation of its rules. High caution and an awareness of the importance of prevention are the most recommended advice from experts.
Additionally, there is still some scepticism about the GDPR, as many claim that it hinders innovation and technological development and that it is not clear and objective about its application.
In terms of data protection, Portugal stands out negatively. Firstly, we have implemented the GDPR Implementing Law (Law no. 58/2019, of 8 August), which violates the principle of the Primacy of EU Law, contradicting many of the rules contained in the GDPR itself. Furthermore, Portugal is the only member state whose supervisory authority has decided not to apply some of the rules set out in the GDPR Implementing Law. This implementing law granted public entities the request to waive the application of fines and also encourages them not to take steps to ensure a satisfactory level of compliance with the RGPD.
Similarly, Portugal was the only country in the entire European Union to reduce the budget of its supervisory authority, unlike other member states. In view of this, a proposal was submitted to the European Commission that foresees the opening of infringement proceedings against member states that do not comply with their obligations under the GDPR, in which Portugal is included.
The National Commission for Data Protection (CNPD) has contributed, positively, to the widespread perception that the GDPR has not achieved the desired effects and that there is, in fact, an inability to make it effective.
It can therefore be concluded that four years after its implementation, the balance is unsatisfactory. In addition to the reduced number of professionals and the low qualification and specialisation in matters such as data protection, Portuguese companies are required to demonstrate that they have an adequate level of compliance with the GDPR, without actually having it, leading to competitive delays and sometimes lost business opportunities.
Several studies have shown that, across the world, many entities are not compliant with the measures in either the US or EU data privacy regulations. Each potential fine can reach a maximum of €20 million or 4% of annual global turnover.
However, the future is expected to be bright in this field. Three factors contribute to this: the end of the privilege of public entities to request the exemption of the application of fines, subjecting them to the full powers of correction of the CNPD. Next, the digital maturity seals, which aim to boost and increase the level of maturity of organizations. Finally, the consolidation of the data protection supervision framework, as well as the more present and constant action of the CNPD itself.
Jakub Lewandowski, legal director and global head of data at Commvault, explained that “Any increase in compliance and regulatory obligations increases development costs for digital businesses. There is a fine balance between protecting data and stifling innovation, but ultimately the most important factor has to be building trust in our digital economy and relationships.“
To achieve competitive advantage in this field, it is essential to find the balance between meaningful protection (digital ethics, privacy, cybersecurity) and maximising economic and social value (cloud, digital transformation, innovation).
It is then of utmost importance that sanctions are applied for non-compliance with the established norms and that the rules are aimed not only at the so-called Big Tech but also at small and medium enterprises. Complementarily, with individuals able to report data misuse before incidents occur, the law is followed in due norms.
On the other hand, if the aim is to maximise economic and social value, the cost of compliance and barriers to innovation must be minimised. This can only be achieved with a level of regulatory harmonisation.
It is understood, then, that there is definitely room for improvement. We believe that, with awareness, the RGPD will follow the path initially intended and that personal data will be effectively protected from any and all threats.