The General Data Protection Regulation no. 2016/679 (GDPR): the main news for companies
On May 25, 2018, the General Data Protection Regulation no. 2016/679 (GDPR) *, by repealing Directive 95/46 / EC and partly replacing the current Privacy Code (Legislative Decree 196/2003), currently in force in Italy.
The primary objective of the GDPR is to enforce the protection of data of natural persons in the category of fundamental rights and, to this end, introduces clearer rules on disclosure and consent, recognizes new rights to data subjects (including the so-called " right to be forgotten "), sets new limits for the automated processing of personal data and strict criteria for the transfer of data outside the EU.
The key word for companies and public bodies is "accountability"; the new Regulation introduces the principle of accountability, for which the controller must decide autonomously the methods, guarantees and limits of data processing and must also be able to demonstrate that he has adopted legal, organizational and technical measures. , adequate and effective for the protection of personal data.
Implementation of accountability is, for example, the appointment of a Data Protection Officer (DPO), governed by art. 37 of the Rules. It is a figure with a consultative role, assistance and supervision of compliance with the regulation of the EU regulation on privacy. Among the tasks of the DPO, provided for by art. 39, also include those of cooperating with the supervisory authority and acting as a point of contact with the supervisory authority.
The Data Protection Officer, whose designation is mandatory for public bodies and for private entities that monitor large-scale data subjects or process sensitive data on a large scale, may be an employee or an external professional in possession of specialist knowledge of data protection regulations and practices, and the ability to carry out the tasks referred to in Article 39 ".
The Article 29 Working Group (WP29), in the Guidelines on Data Protection Officers, made it clear that, in order to promote efficiency and correctness and avoid the risk of overlaps, the uniqueness of the figure of the DPO is required, which may, however, , be supported by a team of collaborators.
Another novelty that expresses the responsibility of the owners in relation to the treatments carried out by them, is the Data Protection Impact Assessment (PIA). The Privacy Impact Assessment is an important tool available to the data controllers to implement systems compliant with the provisions of the European regulation, which makes it possible to assess the necessity and proportionality of the treatment and to identify the risks for the rights and freedoms of the data subjects, identifying the measures to address them.
The implementation of an impact assessment on data protection is mandatory only if the treatment "can present a high risk for the rights and freedoms of natural persons", as provided for by art. 35, which does not clarify what is meant by "high risk" but merely identifies certain hypotheses in a non-exhaustive list.
For all data controllers and processors, with the exception of organizations with less than 250 employees who do not carry out risk treatment, the obligation to keep a record of the processing activities carried out was introduced.
The register, whose requirements are listed in art. 30 of the GDPR, must be available to the supervisory authority. The purpose of this provision is to demonstrate compliance with the Regulation of the owner or the controller, for whom the preparation of the register can also be a useful planning and control tool.
Another new feature introduced by the GDPR, which mainly affects companies, is the obligation to report to the Guarantor in the event of violation of personal data (data breach). Article. 33, where there is a risk to the rights and freedoms of natural persons, imposes on the holder an obligation to notify the supervisory authority within 72 hours from the time he becomes aware of the violation. Failure to comply with this obligation will result in administrative fines of up to 10,000,000 euros or 2% of the total annual worldwide turnover of the previous year, if higher.
As can be seen from the above, it is important that companies and professionals take action as soon as possible to comply with the new provisions by 25 May 2018, so as not to risk incurring heavy penalties.
* That regulation 2016/679 UE is avaible on http://eur-lex.europa.eu/legal-content/it/TXT/?uri=celex%3A32016R0679