Companies want to be compliant but the large amount of rules and regulations make it a difficult process
EU proposals to reform data protection rules are causing anxiety among clients who are struggling to comprehend the legislation, according to Ana Rocha, an associate specialising in data protection at CCA Ontier in Lisbon.
“The challenge is that companies want to be compliant. On the one hand, firms process a lot of personal data and so they want to increase its security but the high amount of obligations and procedures imposed by law makes it difficult to comply and implement,” she says.
The proposed new rules aim to increase online privacy and enhance the EU´s digital economy as well as create a single law to be applied uniformly across the region. It is anticipated that the new rules will increase e-commerce by boosting consumer confidence while making international trade between member states seamless. The intention is to eliminate the fear of transmitting data as there is uncertainty regarding the level of protection in certain countries.
The new legislation also aims to increase awareness among EU citizens of the importance of data protection and the “right to be forgotten”, as the reliance on the use of the internet results in users unwittingly leaving digital “fingerprints”.
However, while the new rules will allow for individuals and companies to complain and obtain redress regarding misused data, they will bring a number of new challenges, according to Rocha. “One big challenge is transparency, as people demand and have a right to know what firms are doing with their personal data.”
In addition, the legislation is not only something that the telecommunications or banking sectors must be aware of but something that all companies must take into account regardless of the sector in which they operate, Rocha says.
“Firms process increasing amounts of personal data and they want to increase its security and this is part of the support we provide to our clients, to simplify their understanding of the legislation and help them be compliant.” Rocha points to the fact that there are more and more security concerns as cross-border transactions increase and business is becoming globalised.
Another important part of the legislation that people were not aware of but which is becoming increasingly sought after is the right to be forgotten. “This right already existed in Portugal in a more restricted way as a mere right to erasure, but many people were not aware of it. Companies must assess whether or not there is a legitimate reason to demand it which means an evaluation of the specific circumstances of each case is necessary,” Rocha says, highlighting the fact that, previously, internet users were blasé about their use of the web, content or not particularly worried to have their names and information available in order to be accessible.
“Now they [internet users] are aware of the disadvantage of that. Now there is the possibility to change their image and presence on the internet,” Rocha says.
The other important question that firms ask relates to the level of privacy that they want to implement, she explains. “EU firms are also now doing more and more business with firms outside the EU. It is very important that each country can apply the level of privacy that is tailor-made for them, depending namely on the nature and amount of data they collect, and whether they work with third parties.”
Companies want to know what type of security measures need to be implemented and what level of consent they need, according to Rocha. Therefore the design of measures must take place on a case-by-case basis depending on a company’s needs. “Law firms are requested to review policies and to consult on project development,” she says.
Rocha envisages a growth in demand for legal services regarding online transparency and data protection in the coming years, both within the EU and worldwide, as international business and e-commerce increases.