In the past few weeks, companies of various market segments have sent messages to the contacts in their respective databases to let them know of certain changes to the rules applicable to the use of their personal data. The reason of the messages was their concern with the coming into force of the new General Data Protection Regulation of the European Union (the “GDPR”), as of May 25, 2018.
The GDPR has emerged from the necessity of adapting the laws to the growing relevance of personal data in the conduction of commercial businesses in the present days. In this scenario, the GDPR has assumed the relevant role of updating the rules applicable to the protection of data belonging to individuals located in countries of the European Union, thus establishing a new normative pattern to govern the matter around.
Who should be concerned with the GDPR?
All companies that offer goods or services to individuals located in the European Union or that monitor the behavior of such individuals are subject to the GDPR. A company that falls under such categories must comply with the GDPR as of its coming into force, whether such company is established in a territory part of the European Union or not. The above also applies to Brazilian companies.
What are the main innovations of the GDPR?
The GDPR is quite complex and sets forth legal innovations with regards to the manner with which companies should treat personal data. Among the main novelties introduced by the GDPR are:
(1) the rights that individuals were assured to access, rectify, move and/or remove their personal data from databases;
(2) the new rules relating to the protocol to be followed in the event of a personal data breach incident;
(3) the new logic related to the circumstances that allow the treatment of personal data; and
(4) the rules related to the appointment of a Data Protection Officer (DPO) to manage all matters relating to the data protection affairs of the company.
For Brazilian companies, the moment calls for a cautious analysis of internal processes and for the evaluation of the possible impacts that the new regulation may have in their businesses. A good first step to be taken is the mapping and comprehending in full of all the steps in the chain of flow of client’s/prospect’s personal data inside the company.
Although there is still no law in Brazil to govern the matter, the Brazilian Congress has been reviewing proposals in this matter for quite some time now and a Brazilian law relating to the protection of personal data should not take long to be edited. Meanwhile, for Brazilian companies to achieve a privileged position in the market, an adequation of their internal processes to the existing rules may prove to be essential, especially in the context of the negotiation of international contracts (both with clients and suppliers).
In general terms, companies that are subject to the GDPR and fail to comply with its provisions may be penalized by the European authorities with fines that can reach up to 20 Million Euros or up to 4% of the company’s turnover (whichever is higher).