The general Regulation regarding the protection of data (EU Regulation 2016/679) offers a framework of reference in terms of compliance for the protection of data in Europe, founded on the principle of accountability.
The Regulation introduces clearer rules regarding policies and consent, it defines the restrictions of automatic personal data processing, it lays the foundations for the exercise of new rights, it establishes specific criteria for the transferring of data outside the EU and for cases of data breach.
The Regulation introduces new aspects, such as the right to be forgotten and the portability of data, establishes criteria designed to make entities liable in terms of personal data protection and introduces benefits for those who conform to data protection rules.
The Regulation does not contain a differentiated policy for the status of an owner of public or private data processing and neither does it contain rules specifically devoted to the public sector.
The Regulation aims to respond to challenges posed by technological development and by new models of economic growth, whilst taking into account the requirements of personal data protection which are increasingly perceived by members of the European Union.
There are new figures within the privacy organisational chart, with different profiles and responsibilities. First of all there is the Data Protection Officer (DPO), this is a new reference for companies and for the public administration, for users and clients, and interface for the authorities. This figure is compulsory within specific hypothetical situations while it is optional in other cases.
Then there has been a sharp increase in sanctions for violations of the rules. It is the duty of companies and of the public administration to comply with the obligations introduced or revise and integrate pre-existing ones so as to adopt an actual privacy management model, which is able to provide adequate safeguards both for the Owners of the data processing as well as those interested in the data processing.
When applying the European Regulation – GDPR n. 679/2016 – any business organisation (Company, Entity, Association, Foundation) which processes personal data (e.g. data concerning employees, clients, physical people etc.) must have appropriate control of its security, based on what is set forth in the Regulation, for example:
– identify the owner of the processing of personal data;
– designate who is liable for the processing of personal data;
– designate and check the work of the system administrators;
– release the specific data processing policies;
– obtain prior consent for the processing of (clients, suppliers, employees, freelancers, interns);
– assess the impact on the systems, if required, risk analysis of data processing;
– adopt appropriate security measures;
– draft or update the internal and external policies regarding the use of corporate and private IT tools;
– maintain and update the Record of data processing;
– implement specific training.
The firm provides assistance in creating a compliance system which is consistent with the G.D.P.R., and supports companies with the assessment of the risk involved in their business compared to the risk of violating data and rights and freedom of physical people, as well as the preparation of company documentation and specific training in the subject.