The General Data Protection Regulation (RGPD), which comes into force from 25 May, regulates the protection of individuals with regard to the processing of personal data and the free movement of such data. This regulation introduces not only new rules, but also high fines in case of non-compliance, which requires careful attention from Organisations dealing with personal data.
The big challenge is to ensure control over data privacy in our information society, where the growing adoption of the internet, social networks and digital business models create a duality. On the one hand, people are attracted to and share data from their personal lives; on the other, organisations are capturing more and more information about their customers, usually with the aim of providing more and better services, or as a way to monetise the information.
The GDPR represents a fundamental shift in the way the EU views the processing of and access to personal data, in a new approach that maintains a focus on the self-responsibility of Organisations. In the EU it is believed that companies exploit personal data excessively and primarily for their own benefit, with a deficit of transparency about the manner and purpose of processing.
The new regulation is of some complexity, representing a challenge for all companies and organisations, public and private, which will have to implement control tools and specific procedures for the management and protection of their customers' data.
In this technical article, we propose you to learn about the main specificities brought about by the regulatory framework of the RGPD.

Scope of application
The RGPD regulates the processing of personal data, whether by wholly or partly automated means or by non-automated means.
Exceptions:
- not subject to EU law;
- natural persons in the exercise of personal or household activities;
- authorities, for the purposes of the prevention, investigation, detection and prosecution of offences or the enforcement of penalties.
It is applicable in EU establishments, or even in establishments outside the EU, which: a) offer goods or services within the European area, whether they are European citizens or third country nationals; b) monitor the behaviour of citizens within the European area.

Key concepts viz:
- Personal details
"an information relating to a personal data subject" "any information relating to an identified or identifiable natural person through that information"
- Sensitive data
"philosophical or political beliefs, party or trade union membership, religious faith, private life and racial or ethnic origin, data concerning health and sex life, genetic data"
- Data processing
"operation or set of operations which is performed upon personal data", namely "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction".
- Responsible for treatment
- natural or legal person
- individually or together with others
- determines the purposes and means of processing of personal data

- Subcontractor
- natural or legal person
- processes personal data on behalf of the controller

- Data breach
- accidentally or unlawfully
- causes destruction, loss, alteration, disclosure, unauthorised access

Holders' rights (New)
- Transparency and plain language (more information, more communication, more exercise of rights)
- Right to information
- Right of access
- Right to correct, erase (forget) and limit
- Right of opposition
- Right not to be subject to automated decisions
- Right to portability
- Communication of a personal data breach to the data subject

Obligations of the controller
- Lawfulness of treatment:
- Consent: becomes free, specific, informed and explicit consent (opt-in), as opposed to the current pre-validated options or silence (opt-out)
- Contract
- Appropriate technical and organisational measures to ensure and evidence the processing in accordance with GDPR
- Privacy by design:
- appropriate technical and organisational measures, such as pseudonymisation and anonymisation
- guarantees necessary for compliance with the GDPR (lawfulness of processing, policies, procedures, codes of conduct)
- Privacy by default: technical and organisational measures, such as minimisation and access control
- Notification of violation to the Control Authority, within 72 hours
- Adequate guarantees from the subcontractor
- Company with more than 250 employees: mandatory registration of processing activities
- Privacy Impact Assessment: mandatory if there is profiling, sensitive data, large scale processing. Prior consultation with the CNPD is required
- International transfers

DPO - Data Protection Officer
The existence of a DPO is mandatory in the following organisations:
- Public Authority or Body (except for Courts and PCOs)
- that engage in large-scale data processing
- with large-scale processing of sensitive data and/or data relating to offences or convictions
Functions of the DPO:
- Information/Awareness Raising
- RGPD compliance monitoring
- Advice and control of the carrying out of PIA's - Privacy Impact Assessment
- Cooperation and contact point with the Supervisory Authority

Fines and Supervisory Authority
- More independence for the Authority
- Responsibility for monitoring the implementation of the GDPR
- Preventive activity for the controller and/or processor
- Harmonisation
- Applications for authorisation in different MS with different decisions
- Delay in obtaining a response
- Harmonisation of rules, in particular concerning international transfers
- More international cooperation between MS authorities and the European Commission
- Power of investigation | power of correction | power of conclusion and authorisation
- Conducting audits
- Warnings, reprimands and ordering the satisfaction of requests for the exercise of rights by right holders
- Issuing opinions; authorising treatment; approving codes of conduct
Application of sanctions
The maximum limit for the application of fines was defined by the GDPR, being up to each member state to define a minimum ceiling. In Portugal, the framework has not yet been defined, so at this moment the application of any fine is illegal and unconstitutional.
Ceilings on the imposition of fines:
- Lower severity: 10 million euros, or 2% of annual turnover (of the two, the higher figure)
- Highest gravity: EUR 20 million or 4% of annual turnover (of the two, the higher figure)
Apart from the application of sanctions by the competent authority, one of the main issues that organisations are likely to face is the right of the holder to compensation for material and/or non-material damage.

Complying with RGPD, step by step
1. Diagnostic Phase
Read the regulations. Identify what data exists in the company and how it is processed. What types of data exist? For what purpose? What is the retention period? Understand the existing data flows. Are there suppliers with access to them?

2. Revision Phase
Review whether there is consent from data subjects for use and processing of data that already exists. Verify the consent documents. Review privacy policies and terms of use, as well as contracts with suppliers and other subcontractors. Bring all documentation into compliance with the GDPR.

3. DPO Phase
Understand whether the company meets the requirements for having to appoint a Data Protection Officer (DPO). Appoint a DPO if necessary and involve them in the preparation process.

4. Implementation Phase
Identify the measures to be taken. Assess whether IT systems need to be replaced. Acquire the necessary systems. Design an implementation plan. Implement the new measures and assess whether everything is compliant.

5. Compliance phase
Employee training. Ensuring continuous compliance with the RGPD. Business as usual from 25 May.