On 11/08/2017 and 11/09/2017, was held in Brussels one of the main events of the world on Privacy and Data Protection. Hosted by IAPP, the congress brought together 1500 privacy professionals from around the world. To keep myself updated and bring the main news on the subject (which will greatly influence the future Brazilian General Data Protection Act) to Opice Blum, Bruno, Abrusio and Vainzof, I attended the two days of the Congress and, below, I expose 15 highlights:
1. When there is an indication of an incident related to information security, the first step should be to investigate whether or not the event has affected personal data. Therefore IT and legal department teams must work together to mitigate the consequences of the incident.
2. No Company is fully safe from incidents related to the breach of personal data (for example, leaks). Therefore, all Companies must be prepared for possible incidents. This means that Companies processing personal data should ideally have an action plan for any personal data breach in order to mitigate its negative consequences (both legal and reputational). The action plan should contain as parameters the extent of the incident, establishing, in advance, deadlines and measures to be adopted.
3. Regardless of regulatory issues, the practice shows that companies that take appropriate measures to report personal data leakage to consumers suffer less negative impacts, both in the legal and in the commercial sphere.
4. Companies believe they will not be prepared to comply with General Data Protection Regulation (GDPR) when it come into force (May 2018), according to an International Association of Privacy Professionals (IAPP) research. It is worth remembering that this is the European reality, even after 2 years of deadline between the new regulation and its entry into force. In Brazil, bills stipulate much shorter deadlines for companies to prepare for new regulations (120 or 180 days).
5. Training activities related to GDPR concentrate the companies’ investments in this adaptation period.
6. The private sector still has doubts about how to implement and guarantee holders, in practice, the right to data portability, one of the main novelties that will be implemented by GDPR.
7. For European Companies, the main difficulty related to complying with GDPR is the lack of adequate budget. For the Americans, it is difficult to understand adequately the impositions of the new regulation.
8. Data Breach is the main concern of European Companies.
9. The right to data protection in the workplace is not outside of GDPR scope, although it is subject to specific regulations in the different countries of the European Union. Thus, it should be remembered that all provisions of the GDPR also apply to labor relations.
10. Consent is still one of the most controversial points of privacy regulation. The technological advancement of Internet of Things, for example, has been widely cited to justify the need for a regulatory agenda that shall not be guided by consent as the basis for legitimizing the processing of personal data.
11. Under the terms of the GDPR, consent is one of the forms to legitimate processing of personal data. There are others, but considering the context of digital companies that collect data even as a bargaining chip for the provision of “free” services on the Internet, consent remains enforceable.
12. Without denying the importance of express authorization of the data subject to legitimize processing personal data, it is questionable if the regulatory model of consent has worked so far, considering the famous Privacy Policies and/or Cookie Policies, often unread and accepted by data subjects.
13. There is a shortage of qualified professionals to provide legal services related to data protection in Europe. Although the European continent is considered avant-garde regarding the subject, the overall conclusion of the event is that the demand for privacy professionals is on the rise in Europe, with further growth expected by May 2018 (when the new regulation starts to be applied).
14. The best way to fit GDPR is prevention. The new European regulation will, to a certain extent, transform the way in which most Companies deal with issues related to personal data protection. In other words, the private sector is noticing that, for a company’s reputation and to escape from the severe sanctions imposed by the new regulation, the best receipt is to invest in preventive consulting, which, in fact, corresponds to one of the GDPR scopes. Training, reporting of impacts prior to project completion, for example, are essential aspects for any company that processes data from European citizens.
15. Brazilian scenario warns multinational Companies. This last aspect was possible to be noticed not in the lectures, but talking to the European professionals attending the congress. The eyes are focused on the Brazilian data protection regulations, due to the relevance of the digital economy in Brazil and, above all, the huge volume of Brazilian personal data processed by foreign Companies. On this point, there is great expectation that Brazil will fill the legislative gap on the matter by 2018.
That being said, it is possible to assert that in Brazil we are also in the moment of studying the future data protection regulation consequences. In practice, we are noticing strong inclination of the private sector on privacy and data protection regulatory prevention. In Europe and Brazil, all attention to the protection of personal data and the development of digital economy business models, for which personal data is the new oil.
*Associate Privacy Lawyer at Opice Blum, Bruno, Abrusio and Vainzof, undertaking Master’s degree in Digital Law (Universitat de Barcelona – Spain) and specialist in Intellectual Property and New Business (FGV Law – São Paulo, Brazil).