GDPR: EVERYTHING YOU NEED TO KNOW.

Written by Gianpaolo Todisco
GDPR-cropped.jpg

Are businesses and public agencies prepared to comply with the new data protection regulation?

As many of you may know, as of May 25, 2018, EU Regulation 2016/679, known as the GDPR (General Data Protection Regulation)—which concerns the protection of natural persons with regard to the processing and free movement of personal data—is directly applicable in all Member States.

The GDPR in a nutshell:

  • introduces clearer rules on information and consent;
  • sets limits on the automated processing of personal data;
  • lays the groundwork for the exercise of new rights;
  • establishes strict criteria for the transfer of such data outside the EU;
  • sets strict standards for data breaches.

The rules also apply to companies based outside the European Union that offer services or products within the EU market. All companies, regardless of where they are based, will therefore be required to comply with the new rules. Companies and organizations will face greater accountability, and failure to comply with the rules could result in heavy penalties.

The One-Stop Shop

To address any difficulties, a “one-stop shop” has been introduced, which will simplify the management of data processing and ensure a consistent approach. Companies operating in multiple EU countries may contact the data protection authority of the country where they have their main establishment.

Data portability

The Regulation introduces the right to “data portability,” allowing individuals to transfer their personal data from one data controller to another. An exception to this rule applies in cases involving data contained in public records, such as civil registries. In such cases, this right cannot be exercised, just as the transfer of personal data to non-EU countries or international organizations that do not meet data protection security standards is prohibited.

The principle of “accountability”

There are other significant new developments. In fact, the regulation introduces accountability for data controllers and an approach that places greater emphasis on the risks that a particular processing operation may pose to the rights and freedoms of data subjects. This new right will make it easier to switch from one service provider to another, thereby facilitating the creation of new services, in line with the Digital Single Market strategy.

Data breach

The data controller must report any personal data breaches to the Data Protection Authority. Responding effectively to a data breach requires a multidisciplinary and integrated approach, as well as greater cooperation at the EU level. The current approach has numerous flaws that need to be addressed. It is not easy, but it must be done to avoid missing out on the opportunity provided by the GDPR. The first requirement for Italian companies is undoubtedly the adoption of the Personal Data Processing Register; however, even before dealing with bureaucratic red tape, the company must understand the importance and value of data, as well as the significant economic damage associated with a data breach. If a data breach poses a threat to individuals’ rights and freedoms:

The data controller must also inform all data subjects in a clear, simple, and timely manner and provide guidance on how it intends to mitigate the damage;

It may decide not to notify the data subjects if it determines that the breach does not pose a high risk to their rights, or if it can demonstrate that it has already implemented security measures; or, finally, if notifying the data subjects would entail an effort disproportionate to the risk. In the latter case, it must issue a public notice;

The Data Protection Authority may, however, require the data controller to inform the data subjects based on its own assessment of the risks associated with the breach.

The role of the DPO (Data Protection Officer)

It is no coincidence that the role of “Data Protection Officer” (DPO) has been established; this individual is responsible for ensuring the proper handling of personal data within companies and organizations and is selected based on professional qualifications and specialized knowledge of data protection laws and practices.

The Data Protection Officer:

  • Reports directly to top management,
  • He is independent and does not receive instructions regarding the performance of his duties;
  • He is provided with human and financial resources commensurate with the mission.

In reality, there are still too many uncertainties about what a DPO is. It is an important role, but it is certainly not the “center” of the system established by the GDPR; under the new framework, that role is always held by the data controller. The DPO must possess specific expertise “in the laws and practices regarding personal data, as well as the administrative rules and procedures characteristic of the sector.” It is no less important, however, that they also possess “professional qualities appropriate to the complexity of the task to be performed” and, especially with regard to sensitive sectors such as healthcare, can demonstrate specific expertise regarding the types of processing carried out by the controller. Equally important is the DPO’s decision-making autonomy and independence from the determination of the purposes and means of data processing if we are to restore to data subjects that sovereignty over the circulation of their own data.

 

Gianpaolo Todisco
Back

Christian Louboutin's red soles are a distinctive trademark.
Next

THE TURIN COURT ON THE PROTECTION OF K-WAY COLORED BANDS.