How do perspectives on the GDPR differ between consumers and businesses? Do perspectives vary by industry?

How do perspectives on the GDPR differ between consumers and businesses? Do perspectives vary by industry?

How the perspectives on the GDPR differ between consumers and businesses?

After the "novelty effect", the General Data Protection Regulation (RGPD) has become, little by little, an operational reality in the relationship between companies and consumers with regard to the management and processing of personal data. In addition to the recent legal provisions that the RGPD entails, the first fines and inspections in this regard are beginning to appear.

At the European level, there are already more than 500 cases of inspection regarding personal data. This information, according to the Portuguese portal Dinheiro Vivo, was transmitted by the president of the European Data Protection Council at the beginning of October. For his part, the European Data Protection Supervisor, Giovanni Buttarelli, according to Reuters, indicated that the first fines on RGPD will arrive at the end of the year, affecting companies and public entities.

The scenario has already become reality in the neighboring country. The pioneer, for the worst reasons, has been the Barreiro-Montijo Hospital Center, which has already received fines from the National Data Protection Commission (CNPD), under the RGPD. In total, the hospital has received fines of 400 thousand euros due to the allegedly indiscriminate access to clinical processes of patients by technicians and doctors without proper authorization.

It should be remembered that, within the scope of European regulation, sanctions have a maximum limit of 20 million euros or 4% of the global turnover. The specific rules of application of the GDPR in Portugal depend on the official publication of a national law, which has not yet happened to date. In a bill approved in March in the Council of Ministers and that ended up not succeeding, the Government designated the CNPD as the national control authority of the RGPD. Without national legislation, the general provisions of the European regulation apply.

Does the outlook vary by industry?

Although the text was in force, its legal application has not been until today, May 25, 2018, the entry of its application. However, many companies have begun to prepare themselves through risk analysis of the data processing they carry out in their organization

The 2018 Regulation increases the commitment of companies and organizations; although mostly this implication refers to a different data management system. Public bodies, such as the Spanish Agency for Data Protection, are developing systems that allow the specification of risks for SMEs. Specifically, the following companies or groups will be required to have a DPD (Data Protection Delegate): Professional Associations or Associations; Teaching Centers, Education or Schools; Companies dedicated to network management; Information Societies; Solvency Companies, Financial Reports or Banking; Insurers; Investment Companies; Energy Companies; Advertising and Commercial Prospecting Companies; Socio-Health Companies; Gambling companies and recreational machines; Private Security Companies. For all of them, the hiring of an accredited / approved professional as DPP will be required either internally or external. Hiring of an accredited / approved professional as DPP either internally or externally.