The General Data Protection Regulation (GDPR) has been introduced by the legislator in order to harmonize privacy legislation within the European Union.
The GDPR therefore abolishes the Directive 95/46/EC for personal data protection, conceived when only the 1% of the European population used the Internet and social media, tablets or apps, had yet to make their first appearance...
Briefly, the GDPR introduces the concept of “data protection by default and by design”, which requires companies to take all the necessary measures to meet the GDPR requirements and to protect the rights of those concerned, before starting personal data processing.
The protection of personal data is therefore a crucial aspect that each company has to face since the service projecting phase and thus it has an inevitable impact both on the processes and on the company’s information systems.
Regulation (UE) 679/2016
Fully applicable from 25 May 2018
General Data Protection Regulation
The path to compliance through GDPR
What to do?
It is first necessary to understand if your company has gaps in relation to the GDPR and then identify the actions to be taken to implement the regulatory provisions.
The analysis must be carried out considering both the organizational and regulatory aspects as well as the security measures.
Starting a structured and contextual path, aimed at promoting the transition to GDPR and maintaining the features required by the law over time.
12 importantant tips
1. Identify personal data you deal with
Be aware of which personal data you are dealing with. Identify their source, the reasons why you are dealing with them and if it is actually essential to keep them.
2. Keep only personal data useful for processing purposes
Check whether the retention period of personal data you are processing matches the purposes for which it was collected or with other applicable legal obligations. Identify personal data whose storage is no longer necessary and adopt measures that protect you from carrying out “not due” treatments.
3. Adopt an “organizational model” to manage the obligations envisaged by the GDPR
Define an organization structure of your company that identifies roles and responsibilities, both internal and external, to manage the regulatory obligations of the GDPR.
4. Update the policies and procedures for the protection of personal data
Map roles, responsibilities and operating procedures for managing data security within organizational policies and procedures. Ensure that these documents are accessible to recipients and that they have been adequately trained on the contents of the aforementioned documents.
5. “Privacy by design” as a fundamental principle
The protection of personal data is a crucial aspect that each and every company must face from the design phase of a service and therefore has an inevitable impact on both its own processes and on the information systems.
Adopt appropriate organizational and technical measures to ensure that, by default, only the personal data necessary for each specific processing purpose are actually processed.
6. Prepare to handle “data breach” cases
The GDPR introduces the obligation to notify the supervisor authority about personal data breaches you become aware of within 72 hours, if considered that from this violation any risks might income. There is also the obligation to notify the parties involved if the violation might cause a high risk for their rights and fundamental freedoms.
Develop technical and organizational measures suitable for detecting and reporting any violations of personal data.
7. Prepare to manage the rights of the parties involved
There are many rights recognized by the GDPR. In particular:
Develop technical and organizational measures for managing the rights of parties involved.
You are responsible for demonstrating the reason for the storage, processing and integrity of personal data.
8. Greater responsibility: are you ready?
Principle aimed at empowering the data controllers, to make them adopt approaches and policies that take into account the risk that a personal data process may represent for the rights and freedoms of those ones concerned.
This is a big news for data protection as it is entrusted to the data controllers to decide autonomously the methods, guarantees and limits of the processing of personal data.
9. Designation of the Data Protection Officer (DPO)
A new figure introduced by the GDPR. It is a professional with the tasks of informing and providing advice to the data controller, monitoring compliance with current legislation, as well as the policies of the data controller, providing - if requested - an opinion on the impact assessment on data protection, cooperating with the supervisory authority and acting as a contact point for the supervisor authority for matters related to processing.
Check if your company has the obligation to designate a DPO and if so, formalize your appointment.
10. Perform whenever a “Privacy Impact Analysis” is required
Each data controller must carry out an impact assessment on data protection in the cases envisaged by the law. This implies the need to preliminarily assess the impact, from the privacy point of view of each data processing operation that will be carried out.
11. Prepare and update the Register of treatment activities
In the cases envisaged by the GDPR, companies must keep a record of the processing activities carried out.
Ensures the preparation of the document and its update.
12. Be transparent to the parties involved
Reading the GDPR at the article 5, letter (a) in the first paragraph, the GDPR requires that personal data need to be treated in a transparent manner towards the data subject. Transparency is therefore a fundamental and constitutive element of the responsibility of the data controller.