Data Protection in Portugal: Eight or Eighty?
Four years of legislation since the entry into force of European legislation that regulates data protection for individuals and the General Protection Regulation for individuals.
Three years since the Portuguese entry into force for the implementation of this regulation in the figure of Law 58 of 2021. Data Protection: Eight or Eighty?
Both in the established regulation and in Portuguese law, the figure of the “Data Protection Envoy” is foreseen, which in fact is an agent that promotes the function that I like to call “the one of the three A's”, these being “Alert ”, “Caution” and “Advise”.
He likes to let this last sentence be purely my personal interpretation, which has been developing at the origin of my activity as an EPD in an organization more clearly the entry into force of the European regulation. A fourth function that has also been floating around in my EPD deals is “Support.” But this much is thematic for a next opportunity, since I don't want to make this article too long.
In these four years of GDPR and three of Law 58/2021, I have witnessed several scenarios that, in a way, set standards in institutions and organizations:
- the shock moment; "Which?! And now? What do we have to do?” . Although the regulation was published in 2016 for institutions and organizations to be able to prepare and make the precision measurements to enter, often (for not almost all organizations) organizations only agreed in early 2018 when the regulation came into force in May.
- the one responsible for the inevitability; “Ok it's Law, we have implementation. Who do we hire?” When they realized that non-compliance with this regulation could lead to consequences, organizations dedicated to the process of “solving the problem” began “in the convenience-style data privacy graves”.
- the illusion of simplicity; "Ready! That’s it, now we can forget about it.” . After organizations went through the cycle of requesting a proposal, contracting the service, and literally turning around as “foot-in-the-mouth” organizations for several months to implement what the “GDPR wizards” instructed, many organizations installed a feeling of “mission”,
- return to the “business as usual” posture: “How many RGP? Oh yes ! … that training that happened!” . Quickly as "people" in the institutions still return to their usual routine, which now in the processes and norms of the norms there were some more lines that say "to comply with the RGPD". But was the objective of data protection true?
- return to the shock moment; “Hey man! After all, missing organizations have already been authenticated”. As the various supervisory bodies in various countries apply fines for all compliance with data privacy or all the most basic rules of the regulation, we help organizations to contract the de-procedures of the processes, introduction of rules and norms of prevention , and based on the requirements of the GDPR. Or does the GDPR require none of this?
Citing an opinion piece by the Miguel Gonçalves on Pplware on May 18, 2018, “The GDPR was not made to make companies hell. It exists with the clear purpose of protecting citizens' personal data.” However, by the small tour, of the institutions I drew, of which you attend several institutions to follow in these years, four times, even if it was not apparently.
We can see the regulation of data protection from two perspectives:
- on the one hand obliged to the institutions and organizations that are regulated when they process the data of natural persons,
- on the other hand, as individuals, holders of personal data, their data are not treated in an abusive and exploitative manner.
Even to say that these two points of view are opposite, each on its side of the wall. But who compose the first are not the same elements that belong to the second?
So that when we are on the side of the wall we act based on the “rule of eight” and when we work for our organizations we adopt the “rule of eighty”?
Article written by Júlio Fernandes from MetaRed to Pplware.
MetaRed Portugal, a partner of Pplware, promotes, on October 27, at 2:30 pm, the webinar “What is Data Protection for?”, a session focused on the practical aspects of everyday life and how data protection is data data and GDPR enforcement brings benefits to each of us. This initiative is part of the Cybersecurity Awareness Kit developed by MetaRed in collaboration with Higher Education Institutions (IES). can sign up here.