What is GDPR?

The coming into effect of the General Data Protection Regulation (GDPR) compels companies to prepare in order to comply with the new law, or otherwise face hefty fines. Stay up to date with the major changes the legislation implies, and confirm if your company is ready for them.

Fines for companies that aren’t in compliance with GDPR can reach up to 20 million euros.

When did the GDPR came into effect?

The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018.

What exactly is the GDPR?

The GDPR is the new European Union (EU) legislation on data protection, replacing the Data Protection Directive of 1995, as well as the several regulations that resulted from it, applied to all member-states. The goal is to make EU laws more homogenous regarding the Protection and Privacy of citizen’s personal data.

Who is covered by the GDPR?

The new regulations apply to all companies, regardless of their size or volume of business, that process the personal data of EU citizens, or of non-EU citizens that are presently or have been in the EU – even if the data processing occurs outside of the EU.

How do I know if my company is in compliance or not with the GDPR?

This succession of questions and answers aims to help you understand that the GDPR implies, and if your company is or not in compliance with the new norms. If you cannot yet answer this question, upon having read our answers, you can get in touch with Eurotux to request a detailed technical evaluation of your case. You can also respond to Microsoft’s quick survey to assess if you are or are not in compliance.

What are the fines for non-compliance with GDPR?

The organizations that do not take adequate measures to apply the new regulations, risk hefty fines that can reach up to 20 million euros or 4% of the total annual business volume. The GDPR also foresees the accountability of companies for harm caused due to non-compliance, namely when citizen’s personal data are violated, for instance, in malware attacks. There is also compensation for the interruption or restriction of data transfers, due to lack of the customer’s consent to data processing, for forgoing risk evaluation, among other penalties that can become very costly for companies that do not comply with GDPR.

What requirements does the GDPR impose on companies?

The new General Data Protection Regulation is based on sevent fundamental principles that aim to protect EU citizen’s data, and that should guide organization’s procedures:

1. Transparency: companies should handle their customer’s personal data in a manner that is legal, completely transparent, and with plainly visible processes.
2. Limitation of Purpose: companies should only handle personal data for the ends for which they were collected, as communicated to the data holders.
3. “Privacy by Default”: companies should guarantee that, by default, they will only handle and store the personal data that is strictly necessary for the operations that were consented to – this is known as “Privacy by Default”.
4. Accuracy: companies have to guarantee that the collected data is correct, throughout their processing. Incorrect data should be erased or corrected.
5. Limitation of the storage period: companies should only keep the personal data in their possession for the duration that is strictly necessary.
6. Integrity and Confidentiality: companies should guarantee, by technical means, that their customer’s data is adequately protected, avoiding unauthorized or accidental publication, or any other such failures.
7. Responsibility: companies are responsible for complying with the GDPR’s regulations, as well as for any failures resulting from non-compliance.

To what kind of data does the GDPR apply to?

The GDPR applies to personal data, being considered any type of information related to a physical identified or identifiable person. This includes names, photographs, email addresses, banking data, medical information, as well as social network publications, IP addresses, location data, and CCTV images. It covers information stored on data bases for employees, sales, and service provision, as well as data contained on forms submitted by customers. The GDPR also defines a special category of sensitive personal data, such as genetic and biometric.

What new rights does the GDPR define for owners of personal data?

The GDPR strengthens the criteria of privacy and security for owners of personal data withheld by companies, imposing a policy of “privacy by design” and “privacy by default”. As such, companies must protect the privacy of personal data from collection to storage, covering their processing until their elimination. Additionally, they must assure that they only collect data that is strictly necessary for the specific ends they are being processed for. Citizens also have a right to be forgotten – upon request, their data must be removed or erased from their database within a month – and the right of portability – they can request that their data be transferred to a third party entity with no extra charge. They also have the right to restrict the processing of their data, and they can rectify them at any time.

How will the GDPR affect how I collect my customers’ data?

The main change is related to the consent given by the data’s owners, for the respective collection and processing. The GDPR requires consent to be clearly stated, in either oral or written form, for the specific purpose the data was collected for. When consent is given, companies should also inform the person, in a clear and transparent manner (especially when minors are involved), about how the data will be processed and for how long they will be stored. Likewise, they must also inform the persons that they have the right to withdraw their consent at any moment, which determines that their data will be removed from databases and backups, as well as any Disaster Recovery infrastructures. The transmission of customer data between companies is covered by the same rule, requiring citizens to state their explicit consent.

And what if my data are stored on the Cloud?

The regulation applies regardless of the data’s storage location, which means that it is very important for the company to guarantee that it only transfers data to a cloud that is in compliance with the requisites that apply to any other infrastructure.

My company only processes third party data: do I still need to comply with GDPR?

The GDPR applies to companies that collect and process data for their own purposes, determining the finality, conditions, and methods that are employed – known as controllers – as well as companies that process data for third parties – known as processors. As such, controllers can only resort to processors that are in compliance with the GDPR. Processors are also required to process data according to the instructions of controllers, implement security measures, and keep track of all processing activities they execute for third parties.

Does the GDPR require the appointment of a Data Protection Officer?

Only companies and public organizations, as well as companies that handle sensitive or large scale personal data, are required to appoint a Data Protection Officer. But this measure can also be applied to other companies, to guarantee that all efforts are in compliance with the GDPR.

What does GDPR imply for security failures?

The GDPR requires companies to report security failures, within 72 hours of detection, to the supervising authority and to the customers whose personal data has been violated. This report must include the extension of the type of failure, as well as the quantity of affected data and the detailed procedures for containing and fixing the problem. The company is also required to establishing preventive measures to improve IT security and prevent future failures.

Does the GDPR have anything to do with data encryption?

Encryption is registered with the GDPR as a security measure against potential security failures. When sensitive data and greater risks are involved, the GDPR recommends encryption as the appropriate technical measure to avoid threats. Encryption makes data unintelligible in the face of potential attacks, thus helping to avoid companies from having to report failures in case its customers’ data has not been violated. There are several products and services that guarantee a robust encryption for static or dynamic data. You can get in touch with Eurotux to learn more about them.

Where should I begin to comply with GDPR?

Your company should begin by assessing processing (which result in the identification of systems, activities, and employees that interact with personal data). Next, you should conduct a Privacy Impact Assessment, and afterwards, apply its findings in terms of processes, systems, technologies, people, activities, internal regulations, or even legal issues.

To learn more:

• GDPR Portal: Site Overview
• Protection of personal data
• Recommendations of the Portuguese National Committee on Data Protection