Never before have people felt their privacy so threatened.
Even before the General Data Protection Regulation (GDPR) took effect, privacy was already seen as a requirement of every individual and was increasingly present as a fundamental right in legal documents.
Upon being implemented, the GDPR indicates to european entities with an online presence a set of standards to follow. But not only to EU entities! As these new obligations do not require legal transposition for other countries, the GDPR is applicable in any country dealing with data from European citizens.
In Portugal, the entity responsible for overseeing the application of the Regulation and applying sanctions in situations where citizens' rights aren’t being respected is the National Data Protection Commission (CNPD - The Portuguese National Commission of Data Protection).
“For every known reported data breach, there are probably many known unreported data breaches. Then there are the unknown unreported data breaches, which are probably a staggering number.” Daniel J. Solove
Since the implementation of the GDPR on May 25, 2018, the CNPD has intervened with 4 entities (until April 30).
One is the Centro Hospitalar Barreiro Montijo, which has been fined 400,000 euros - fine related with the violation of Article 5 (1) (c), the principle of minimization, by allowing indiscriminate access to an excessive number of users; 83 (5) (a) of the basic principles of processing. This amount also accrues sanctions for breach of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5 (1) (f).
This time, in addition to the fact that the CNPD has begun to apply sanctions under GDPR for non-compliance, it has also made available two separate forms online, one for reporting the organizations' DPO (Data Protection Office) and recording the collection and handling of data and other to notify personal data breach situations.
For most companies with a purely institutional and informational online presence, data collection that takes place on their websites is done almost exclusively through contact forms, budget requests or, at most, by imposing some cookies for session analysis and control and visual content management.
In this sense, at critec, we have created solutions that allow our clients to be in compliance with the GDPR, namely by providing pages with Privacy and Cookie Policies appropriate to each client's online presence, the integration of consent guarantees in contact forms and with constant training and news for our customers and partners.