Are you ready for the new privacy regulation to take effect?

The Italian Data Protection Authority has developed guidelines for the implementation of European Regulation 2016/679 on the protection of personal data, adopted by the European Parliament in April 2016, to enable individuals, businesses, and public entities to understand and correctly apply the new provisions in this area.

The Regulation, which will take full effect on May 25, 2018, will apply in all EU countries without the need for any transposition procedures and will replace the current Privacy Code, which was adopted by Legislative Decree No. 196 of 2003 in implementation of a previous EU directive.
Within a year, therefore, the national regulations on privacy and data protection in all European Union member states will be harmonized into a single set of rules.

The system established by the European Union consists of two parts: a regulation concerning individuals, businesses, and public authorities, and a more specific directive regarding the use of personal data in the context of security, law enforcement, and the administration of justice. This second part must be transposed into national law through implementing legislation. 

The Data Protection Authority’s Guide addresses the topics covered in the first part of the legislation, dividing them into six categories (legal grounds for processing; privacy notices; data subjects’ rights; data controllers, processors, and persons in charge of processing; a risk-based approach to processing and accountability measures for data controllers and processors; and international data transfers), and discusses the relevant changes and potential issues for each category.

In particular, some of the changes introduced by the regulation benefit data subjects. First of all, any consent form signed by the data subject must be clear, concise, transparent, intelligible, and easily accessible. Furthermore, the data subject may, if necessary, decide to transfer their data from one entity to another, thereby having the option to switch providers without losing the data provided. Explicit consent for the transfer of personal data will be required only for non-European countries or international organizations that do not have an adequate privacy policy. 
On the other hand, the regulation promotes the accountability of data controllers and the adoption of approaches and policies that consistently take into account the risk that a given processing of personal data may pose to the rights and freedoms of data subjects.
Finally, another important change concerns the introduction of the role of Data Protection Officer, a professional responsible for managing and overseeing the privacy policies of companies and organizations. 

Within a year, therefore, we will see the impact of this reform and how the handling of personal data will change across the European Union.