by Sandro Rego*
With the advancement of technology, personal information has become literally valuable. Many have not yet realized it, but everything that is done on the internet comes at a price. And a sizeable one. Each access generates data about us. Exchanging emails, catching up on friends on social media, watching that show of your favorite musician on YouTube, searching Google for a restaurant name, playing League of Legends – all actions generate information that is sold to businesses or statistically collected by governments.
To standardize existing rules and procedures in the Member States regarding data regulation and protection and to prevent this information from becoming ever more of virtual currency, the European Union adopted in 2016 the General Data Protection Regulation. GDPR, as it is known, aims at protecting the use of personal data of European citizens by keeping them informed of the information they share, with whom they share it, and where they share it.
GDPR also gives the opportunity that personal information may be deleted from all databases in which they are contained if one requests so. In other words, users (or consumers) become the owners of the information, with the right to access and even the requirement to delete it. On the other hand, companies are entitled to collect only information deemed necessary, always with the consent of the customer.
With the measure, organizations need to be prepared for this new reality. It is necessary to follow the law to make sales online, and collect email addresses for sending newsletters and email marketing actions, for example. The European Union established a two-year deadline for companies to prepare to meet RGPD requirements. In the period, Member States were also free to update their national laws by the established rules. If they did not do so, the community RGPD would be valid.
In Portugal, the Assembly of the Republic approved GDPR on June 14th. By way of comparison, in Brazil, the General Personal Data Protection Act (LGPD) was approved in August last year by then-president Michel Temer. Also, President Jair Bolsonaro approved the creation of the National Data Protection Authority (ANPD) in July this year. The federal agency should, among other roles, ensure that LGPD rules are enforced by public and private institutions in the country. The law is expected to take effect in August 2020. Many companies still do not consider themselves ready to comply with the new rules.
And as the regulation will have a direct impact on Portuguese companies, which may damage their reputations, relationships with stakeholders and communication initiatives, APCE (Portuguese Association of Corporate Communication) played a key role in the awareness process and support of its members. APCE provided opportunities for the topic to be better known and analyzed in detail.
The Association was also responsible for bringing the topic to international organizations such as Aberje, as well as the Global Alliance, Fundacom and FEIEA (European Association of Internal Communication). As the fines are high, it is crucial that companies have the necessary mechanisms to comply with the GDPR. According to António Rapoula, APCE vice president who led the process with associates, “this commitment by APCE has helped to improve the preparation of associated companies and to help minimize the risk arising from this new European regulation.”
Another important initiative was the meeting promoted by APCE and its associates with the Parliamentary Committee of the Assembly of the Republic, responsible for the consideration of the GDPR. At the time, the points of attention were exposed, and their written contribution on the Portuguese “regulation” was delivered to the RGPD. The Assembly considered in the final text of the law almost all the points presented by APCE, highlighting the equality of treatment between public or private entities, the preservation of the data of the social contributions of the workers, the minimization of the publication of personal data in the official newspapers, the autonomy and strengthening of the role of the Data Protection Officer (DPO), and the definition of the scope of the GDPR to national citizens.
The points that were not considered in the new legislation were the maintenance of the age of 13 years for the self-consent of minors (instead of 16 years proposed by APCE), the measure to apply only the amount of data treated and not the size of the company, and a generic data retention period of 10 years. For Rapoula, the contribution of APCE was fundamental to safeguard the interests of members.
At first glance, GDPR is not necessarily harmful to companies and institutions that handle personal data. At first, the compliance task is huge. But when the rules are clear and set, everything gets easier in the end. Everyone wins as long as the legislation is enforced. It’s worth noting that the fines are high – they can reach up to 20 million Euros or 4% of the turnover of a company. GDPR is not a trend. It came to stay.
Sandro Rego is a communication consultant. He was general manager of FleishmanHillard agency and communications executive at Banco Safra, Boticário Group, Bunge and Companhia Siderúrgica Nacional (CSN). He was “Communicator of the Year” at the Aberje 2014 Award. He currently lives in Portugal and is the editor of BRpr’s “Also in Portuguese” section.