Skip to main content

Data Protection – Final sprint

The entry into force of the General Data Protection Regulation (GDPR), which regulates the collection and processing of personal data with explicit consent, is an opportunity for companies to improve and optimize business processes, information quality, security, and data protection.

15 March, 2018

Written by Carlos Marques Figueira, Manager Quality & Compliance at Rumos Consulting

  • Exin Privacy and Data Protection Foundation Certified
  • Specialist in Business and Management Processes and Data Protection

Less than three months for the General Data Protection Regulation to enter into force

With less than three months for the General Data Protection Regulation (GDPR) to enter into force, it is already perceptible that companies are aware of this new regulation. However, the same cannot be said about the level of preparation and compliance. For most companies in Portugal, this is still an unknown path to follow. But make no mistake: the regulation applies to all companies, to a greater or lesser extent, and requires special attention to all business support processes that involve the processing of EU citizens' personal data.

Explicit consent obtained in a lawful manner

The regulation establishes that the collection and processing of personal data is carried out with the explicit consent obtained in a lawful, fair, and transparent manner from its holders and it obliges companies to demonstrate compliance with technical and organizational measures that guarantee data confidentiality, integrity, updating, availability, and security. It defines new rules on the specific purpose of data collection and processing, data storage limitation, and data minimization. This means that all employees belonging to the organization responsible for the processing must be made aware of these new rules, as well as the chain of suppliers with whom the organization needs to share data. 

The goal is simple: to ensure a level of compliance that minimizes risk to the organization

Therefore, in the context of a final sprint, it is important to understand where the starting line is and in which direction to go. This is a process of change that involves people, processes, and technology, as well as a legal understanding of the regulation, and its goal is simple:  to ensure a level of compliance that minimizes risk to the organization without compromising business operations. The best way to approach this change is to recognize that we are facing an opportunity to improve and optimize business processes, information quality, security, and privacy, and not just to avoid the announced multi-million fines. Moreover, it is also an opportunity for companies to improve their information systems, as organizations are now facing their biggest challenge - how to integrate and automate compliance into their processes and information systems while minimizing the impact on normal business operations.