If you are a business owner based in Europe you should be aware of the following.
The legal framework for the protection of personal data in the European Union was substantially amended in 2016 with the adoption of the General Regulation on Data Protection (RGPD).
The new legal framework brings some changes that will certainly impact the data processing processes that organizations have in place. Failure to comply with the new rules will give rise to fines ranging from 20 million euros to 4% of the annual revenue of the company that does not comply.
Pedro Veiga, coordinator of the National Center for Cybersecurity, believes that the RGPD is “a very important piece in security and trust in the digital world”. The full statement can be read in Portuguese here
The new data protection regulation is already in force, but until May 2018 there is a transition period that allows entities that manage third-party data to be able to adapt to the new standards without suffering sanctions.
The Directive sets limits such as the imposition of a maximum time limit of 72 hours for all parties involved to report security incidents that render vulnerable personal data managed by the victim organization and create the Data Protection Officer, a person responsible for Protection in organizations. Another novelty is the limitation of the ability of companies to request and use personal data, the purpose for which they are intended and with a defined time window.