The aftermath of passing of the GDPR in Europe (and of the Brazillian Law of Data Protection) seems to be a very dark and dreary place, full of uncertainties, what, in some sense, is completely understandable.
However, before dreading is important to assess the situation and pinpoint what are the difficulties in implementing any Data Protection policy.
The first issue the sheer amount of new requirements that were created, new obligations, especially those regarding access and communication with the data subject created a new level of issues to companies that deal with great number of users (and, consequently, of data).
Another important aspect is that Data Protection policies are very process-driven, what requires a lot of work in order to organize the company to abide by those stipulations, such as the need to be “privacy-by-design and by-default”, what requires the incorporation of privacy in their architecture of products and services. In Brazil is important to highlight that the level of organization in medium to small size companies is very low, what will impose another difficulty for those players to comply with those policies.
The third aspect is that will those policies may be vague in some points (especially the Brazilian law), there is a good level of detail required, and that need to be understood, such the need to keep internal records of all and any of their data protection activities, for example.
It is also important to highlight the fines that may be applicable in case of non-compliance, with can reach substantial values (around 50 million BRL by the Brazilian law, for example), what raises concerns regarding the application of those fines.
And, the last but not the least, there is the fact that those policies have very broad goals and seek to protect the usage of data in ways that, in the future, may evolve in a sense that the very core of the definitions stablished on those policies (that are already somewhat vague, in some concepts) became unnecessary or not useful for their implementation.
That being said, this initial moment, in which these policies will be implemented and understood, is a moment in a very important phase will take place, the phase of testing these policies, what will lead, in the future, for a better a more adequate Data Protection regulation.
Lawyer Author of the Comment: Luciano Del Monaco
Headline: Complying with the General Data Protection Regulation (GDPR) What and how?
“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”