Finance Monthly Magazine
To hear about GDPR in Portugal, this month we connected with João de Sousa Guimarães, Managing Partner Teixeira & Guimarães (T&G). Based in Porto, and with a branch office in Lisbon, the boutique firm provides financial and corporate legal support to national and global companies.
GDPR came into effect on 25th May – how did the Portuguese Government prepare for the new regulations?
The truth is that until recently, there haven’t been any national regulations in relation to GDPR. The Portuguese Government in fact tried to dismiss the penalties for the public sector’s non-compliance, which was faced with divided opinions, as it meant that private companies are being treated differently. Thus, the Government didn´t get the national parliament’s approval to pass a set of regulations and the issue is still to be discussed.
Are the majority of Portuguese companies compliant with the new regulations now?
No, they are not. The previous EU data protection directive has been in effect over the past 20 years, but Portuguese companies weren’t taking it seriously. Since November 2017, we have noticed the effort that big corporations have been making to be GDPR compliant, but there’s still a long way to go – especially for Portuguese SMEs and the public sector.
What are the key GDPR challenges that Portuguese SMEs are faced with?
I believe that the key challenge they are faced with is the paradigm shift. Up until now, most of the SMEs in Portugal simplyhaven’t considered data protection as a major issue in today’s world. And I’m not only talking about digital customer relationships – there are so many companies that collect and store customer data in physical form, without having any internal safety policies. Most SMEs don’t fully understand the importance of data protection. They see the implementation of GDPR as something unnecessary that will only cost them money, as opposed to an opportunity to improve their relationships with the company’s stakeholders and clients.
The paradigm is shifting. And even though most SMEs are afraid of the penalties (and so is the Portuguese government itself), things have started to improve.
What is your piece of advice for companies that are not GDPR compliant yet?
I think the most important thing for companies that are not compliant yet is to understand this paradigm shift. They need to find the gaps between their current policies and what GDPR requires. They then should seek advice on how to become compliant and properly handle their clients’, employees’ and service providers’ personal data.