As of 25/05/2018, the provisions set out in the European Privacy Regulation (Reg. UE 2016/679) (hereinafter referred to a the “Regulation” or “GDPR” – acronym of General Data Protection Regulation) which protects the processing of personal data of natural people, came into force.
Some of the new points introduced by the Regulation are as follows:
The principle of company accountability;
Documentary obligations (processing record, impact evaluation, contracts with those responsible for processing, letter of engagement for those responsible for processing data) (i.e. accountability);
New rights for interested parties (right to erasure, right to portability, clearer regulations concerning statements and consensus);
Obligations of notification to the Authority and communications to interested parties in case of data breach;
New professional figure, the Data Protection Officer (DPO);
New set of sanctions (see paragraph below).
From 25th May 2018 onwards, those that do not comply with the new Regulation risk sanctions up to 20 million Euros (!). When determining sanctions, the Authority takes into consideration a number of factors, such as:
Nature and seriousness of the violation
Duration of the violation
Intentional nature of the violation
Recurrence of violations by the party in question
Damaged caused to the interested parties
Preventative measures put in place
Collaboration with the Authority and compliance with the provisions issued by the same
It should also be remembered that violations of privacy regulations may also result in claims for liability (obligation to pay damages) by interested parties, as well as in specific crime charges (see Privacy Code regulations, Legislative Decree of 30th June 2003, n° 196). Finally, the GDPR renders it obligatory to notify any data breach that occurs not only to the Authority but also to the parties involved, resulting in notable consequential damage to a company’s image.
The concept of Accountability makes companies themselves responsible for determining the most appropriate means and measures (whether related to organization, training, IT or printed documentation) that are to be adopted in order to ensure that they comply with the Regulation in terms of company accountability. The same principle states that the burden of proof lies with the company, meaning that the same must be able to demonstrate (via means of documentation) that it took all necessary measures in order to comply with the new regulation.
Forlani&Co (as a Rimini-based privacy consultant / privacy and data officer) assists businesses in coming in to line with the GDPR, in particular through the following activities:
Company audit/analysis of the data processed/risk analysis;
Analysis of the company’s current privacy protection measures on the basis of the Privacy Code;
Indications of the technical and organisational measures that should be put into place in order to comply with the new Regulation;
Indication of the adequacy of the IT system currently being used;
Indications as to how printed and electronic documents should be archived;
Indication as to the use of email, newsletters and websites for marketing purposes;
Indication of the documents that the company is responsible for drawing up, saving and updating according to the Regulation;
Drafting of the Processing Record;
Drafting of various necessary statements and their manner of communication;
Indication as to when and to who to request consensus;
Indications as to the manner of managing relationships with employees, general control instruments, manner of processing the personal data of employees;
Indications as to the content of contracts/agreements that need to be drawn up with the various parties involved in data processing (internal and external parties and other people responsible for data processing);
Indication as to the processing of data recorded using video cameras;
Indications as to the content of standard contractual clauses for the transfer of data to other countries;
Training of the people in charge of personal data processing and other professionals involved in such activity (employees).
Here below are some reasons why it is recommended that you consult a lawyer or law firm for advice and assistance in terms of privacy-related matters (and in particular with reference to ensuring compliance with GDPR 2016/679):
Necessary and complementary legal knowledge: The activities that need to be carried out in order to ensure privacy regulation compliance necessarily require in depth legal knowledge, such as, for example, a knowledge of employment law (i.e. employee data processing), contract law (i.e. relationships with external service providers) and online commerce regulations.
Personalised service: Compliance-related activities must, as far as possible, be personalised to take into account the current company organisation and therefore it is not advisable to opt for basic standard services/documents that would not adequately ensure company compliance under the new Regulation.
Analysis accuracy: The new Accountability approach means that careful company analyses need to be carried out and that the complete range of privacy-related regulations be correctly interpreted.
Professional register membership: Those belonging to a Professional Register are obliged to follow a Code of Conduct which ensures quality, professionality, fair behaviour and reliance.
Insurance cover: lawyers are legally covered in case of claims.