Luís Neto Galvão participates in the conference "Digital Regulation and the Challenges of Privacy", promoted by Caixa Geral de Depósitos

The conference was opened by the Chairman of the Executive Committee of CGD, Paulo Macedo, who briefly contextualised the topic, reinforcing the constitutional protection of data protection as a fundamental right. In his intervention, he quoted Peter Handke's phrase "I live from what others do not know about me", an interesting way of defining privacy, also highlighting the growing use of Artificial Intelligence as a mark of the new digital era, focusing on the recent increase of cyber-attacks, more sophisticated and frequent, which exploit, in an increasingly profitable way, the vulnerabilities of companies in a new dimension. The risk is not only the paralysis of operating systems, but now extends to the exfiltration of data. He also emphasised the promotion of an organisational culture of compliance at CGD, based on everyone's awareness, contribution and personal responsibility in matters of data protection, highlighting the "Data Protection Guide" of 2021, consisting of 146 questions and answers, to support employees. And, committed and zealous with the protection of customer and employee data, in an increasingly demanding society, he concluded his speech by stating that "data protection is in Caixa's DNA".

This was followed by the 1st Panel "RGPD - Balance, Impacts and Prospects" moderated by Prof. Luís Antunes, from the Faculty of Sciences of the University of Coimbra. Luís Antunes, from the Faculty of Sciences of the University of Porto, who introduced the subject, highlighting the paradigm shift from hetero-regulation to self-regulation, in which DPOs are the "CNPD" within organisations, meaning that the intervention of the DPO is to monitor compliance of the responsibility of companies, the position of the DPO, as administrative authority, should be formally reflected in the organisation chart of companies and the independence of the DPO in the exercise of his functions should be guaranteed, reporting to the highest level within companies. This panel highlighted the advantages and disadvantages of the DPO as a service and the challenges and impacts felt when implementing the RGPD in institutions. Knowledge of the organisation, the importance of employee awareness and the main innovative requirements of the GDPR (v.g. data protection impact assessment - DPIA) are aspects of the risk-based approach present in the data protection management cycle. As a priority for action for 2023, the dynamic training of employees and stakeholders was unanimously pointed out, to face, again, the increased wave of cyber-attacks.

Panel II, moderated by Arlindo Oliveira, Non-Executive Director of Caixa Geral de Depósitos, dealt with "Business Models and Artificial Intelligence: Use, Ethics and Responsibility", which addressed the issues of risk management, data minimisation and the use of personal data in systems, with emphasis on differential privacy as an "approach" to correct biases resulting from the use of AI. The importance of privacy by design (preventing technological, legal and reputational risks of non-compliance with the RGPD) was mentioned, as it allows to identify, from the outset, the need to conduct a data protection impact assessment (DPIA), ensure efficient management of human and financial resources (clever compliance as referred to by Paulo Moita Macedo in his opening speech) in the sense that thinking of systems from scratch with data protection involved is a guarantee of compliance.

The III and last Panel "Risks and opportunities. How are we preparing ourselves?" counted - before Luís Neto Galvão's intervention already mentioned - with a presentation by Cristina Máximo dos Santos, DPO of CGD. In her opinion, the balance to be made is that the RGPD does not need updating, but still needs enforcement. She highlighted the evaluation report of the RGPD carried out by the European Commission, which considers to have achieved all the objectives, giving citizens control of their personal data and a robust set of enforceable rights, a system of governance and enforcement, with the creation of the European Data Protection Board, which has been issuing Guidelines and Binding Decisions. The current privacy challenges come through the set of European legal instruments in preparation that enshrine specific data protection requirements in addition to those of the GDPR: digital operational resilience of the financial sector (DORA), payment means and services, consumer credit, prevention of money laundering/combating terrorist financing. European Public Policies on artificial intelligence, the data market, data governance, digital markets, digital services and interoperability are another set of current challenges with the protection of personal data at their core. Facing these challenges only requires teamwork and an organisational culture of compliance from all stakeholders.

João Tudela Martins, Chief Risk Officer of CGD, closed the conference by highlighting the scope of data protection, particularly in the commercial, legal and analytical areas. He shared the increased concern with the classic risk management, of which personal data is an innovation to be considered, recalling the extra challenge of the geographies of the CGD Group regarding data protection. Focused on "Looking forward", maintaining an organisational culture of customer centric compliance in data protection, with great impetus in training all stakeholders.