The General Data Protection Regulation (“GDPR”) promises to be the most significant global development in data protection laws across all European Union (“EU”) Member States since Directive 95/46/EC (“Data Protection Directive”), which was implemented in Portugal by Law 67/98, of 26 October 1998.

The GDPR will be directly applicable in all EU Member States from 25 May 2018. The new regulation will have a global scope, as businesses based outside the EU that offer goods or services to individuals in the EU may be required to comply with the GDPR.

The risk of fines up to 4% of annual worldwide turnover or €20 million is surely a strong incentive for companies to comply with the GDPR.

The new regulation is expected to be homogenously applied throughout the EU. Notwithstanding, Portuguese law will apply in cases it may impose more detailed conditions, such as those relating to the processing of sensitive data, particularly genetic data, biometric data or data concerning health. Portuguese law may also contain specific rules regarding the processing of employees' personal data, especially for the purposes of recruitment, performance and termination of the employment contract, which will apply together with the GDPR.

The combined application of the GDPR and the Portuguese law will be particularly relevant where companies collect and process data from Portuguese individuals and/or the Portuguese supervisory authority acts as lead authority due to the fact the main establishment or the single establishment of the controller or processor is located in Portugal.

Individuals, who are resident in Portugal, will have the right to lodge complaints with the Portuguese supervisory authority. For proceedings against a data controller or processor, the plaintiff will have the right to bring the action before the Portuguese courts if the data controller or processor’s business or the individuals’ residence is located in Portugal.

Although the core data protection rules remain broadly the same, there are important changes with impact on day-to-day business and for which companies should be aware of and prepare in advance.

As companies prepare for the entry into force of the GDPR, we propose a seven steps plan detailing the main aspects of the GDPR that companies need to take. This should be also used as an opportunity to improve the way the companies deal with personal data within their organization. The countdown to 2018 has started.