On May 25, 2018, GDPR (General Data Protection Regulation) entered into force – Regulation (EU) 2016/679 issued on April 27, 2016.
The aforementioned Regulation establishes the rules valid in all the Countries of the European Union in matter of treatment of the personal data and is nothing but the normative body that protects the right to protect the flow of information that regards a natural person: “the person concerned””, that is the person to whom the personal data refer, is the real protagonist of the legislation that, impact, enters into force in the European States without the need for national transposition laws.
The text in question is very detailed, comprising 173 recitals and 99 articles, both complex and difficult to apply in practice. Its compulsory adaptation seems so complex that it often forces companies to turn to experts to adapt the company’s operational functions to the new legislation.
It’s a text projected into a future of coexistence with the most advanced technology: robots; reading the GDPR we cannot fail to notice how much this represents, in all respects, the center of the protection of the use of a new business, decidedly more fruitful: the data.
Yes, because by now the data are the real new source of the global economy! The data as new turnover of companies! Thanks to personal data it is possible to create new products, create new daily needs, formulate specific offers tailored to the needs of unknown customers, improve business offers, control the economy.
It’s easy to understand that because of so important and fundamental to the economy, they cannot travel at the mercy of all. They require protective legislation to put an end to legal or administrative restrictions which, by imposing local data management at national level, could constrain the entire EU market. Just think that the abolition of these restrictions, it is estimated, could generate a turnover of EUR 8 billion per year of GDP. To ensure compliance with the GDPR rules, important sanctions in case of violation of its rules:
“Administrative penalties of up to € 20,000 for private individuals and companies not forming part of groups and up to 4% of total turnover (consolidated) for corporate groups;
-“Penal sanctions involving the penalty of imprisonment from 1 to 3 years;
-“Order of suspension and/or interruption of the processing of personal data.
Let us not fall into the mistake of not giving weight to sanctions! To date, in fact, most of the sanctions against data controllers have been triggered by simple reports, such as those of hackers or dissatisfied customers!
The reason for these increasing reports is not difficult to understand: people are increasingly aware of their rights and expect them to be respected.
The information, makes you aware!
The GDPR pays particular attention to the digital world and new technologies, its purpose is to protect personal data by facilitating the circulation, to the point of increasing trust in digital and “”“is what is read from the combined disposition of Art. 1 and recital 6. of the Rules of Procedure.
What are the data protected by the GDPR?
Art. 4 defines “personal date“any information concerning an identified or identifiable natural person “interested”, shall be considered identifiable as the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more features characteristic of its physical identity, physiological, genetic, psychic, economic, cultural or social.
Although the definition of personal data indicates and confirms that the protection provided by the GDPR is directed at the personal data of natural persons, this does not imply that companies, or legal persons in general, are not covered by the Rules of Procedure. Pausing to analyze every facet of society, in fact, see how societies are made up of people! From employees to employees, the GDPR protects the collection and processing of personal data and also all those data that “”identify or make identifiable”” a person:
-“the license plate of the car;
-“the IP address of the PC (be it static or dynamic, as pronounced by the European Court of Justice in 2016);
-“the sound of the voice;
-“images depicting a person;
-“e-mail addresses (even if impersonal, as long as referred to a natural person)
How to adapt to the GDPR?
First, in order to understand if we are moving according to the parameters dictated and imposed by the GDPR, we must ask ourselves some key questions about the way in which we collect and process personal data.
What personal data do we collect?
-“For what purposes are they used?
-“In relation to a given purpose, do we require a sufficient or higher number of data to justify that purpose?
Three very simple questions, but at the same time fundamental to enter into the life of ’em>modus operandi’ imposed by the new legislation and sufficient to realize how much the GDPR is not a static regulation, but a dynamic evolve, requiring continued compliance with its rules.
In reporting and adapting to the GDPR, therefore, it is necessary to follow a process of adaptation and constant maintenance of the internal company collection and processing of personal data.
Analyzing the business processes, in fact, note how the processing of data happens, very often, in the accomplishment of the most common activities, such as funnel marketing, landing page, generic marketing or interaction with delivery platforms courses, payment channels etc.
Every INPUT source of that data is and must be protected and justified for its purpose.
In order to ensure the security of these data, it is imperative to minimize the request of the same data, limiting this only to those data strictly necessary for the purpose pursued, thus limiting the exploitation of those superfluous (why ask for the phone number to join an email campaign?).
It is recommended to stop to analyze the purpose of processing the data that you want to request. Without a purpose, a purpose of use of the data, there is no legitimacy neither in their request nor in the processing. Therefore, even before requesting a data, the GDPR requires us to understand why we ask for it, where and when we use it, where we find it, what data we need for the intended purpose.
GDPR PRACTICAL APPLICATIONS
As already mentioned, if the GDPR establishes an elevation of personal data to the “oil” of the digital era, making it the hub of the business development of the present and the future, at the same time it entails rights and obligations of Community importance.
Companies of the European Union are obliged to regulate themselves to prevent possible misuse of the information reported or referring to individuals and are obliged to do so according to an dictat precise:
On data processing has become, without normative references, so as to be simple and of a certain understanding even to minors;
Consent to processing must be a unambiguous consent
Introduced the figure of DPO (Data Privacy Officer), a manager of the company databases responsible for the protection of personal data;
Introduction of certification mechanisms and new organizational models for data processing;
New rights arise, such as the right to oblivion and the right to data portability
Right to oblivion and Right to data portability
The Right to oblivion (right to be forgottong>en/right to erasure) is the right of the data subject to obtain from the Data Controller the deletion of personal data concerning him and the waiver of the dissemination of these.
The right to data portability (data portability) consists in the recognition of both the right of the data subject to transfer their data from one electronic processing system to another, and the right to obtain them in an electronic format.
The core principle of GDPR is synthesized in the strong>minimize the use of data.
In order to comply with them and thus ensure their correct treatment, two further guiding principles are born:
Privacy by designâ /em>means that the protection of personal data must be thought of and organized from the moment of the collection of information. This is a criterion for minimizing the risks of treatment by minimizing the data required
minimation of data ;
-“Privacy by default /em>means to prevent the collection of unnecessary data, thus avoiding the acquisition of data superfluous with respect to the objectives stated in the statement.
What must the information contain?
The data processing information shall be complete with:
- Identification of the data controller;
- DPO contact data;
- The purpose of the processing for which the data are intended;
- Any recipients and categories of recipients of personal data and any intention of the holder to transfer them to third countries;
- The data retention period;
- The existence of the right of the data subject to request the right of access to data, rectification, erasure, limitation of processing or other right to data portability;
- The existence of the revocation right exercisable at any time;
- The right to complain to a supervisory authority.
How to be data compliant
- Create a compliance folder for data protection on the company file system. This will form the basis of your compliance test.
- Every step you take for GDPR compliance should be documented to be used in your defense if necessary.
- Keep notes of internal GDPR meetings and GDPR decisions.
- appoint a Data Protection Officer.
- map the data, that is to say to determine which data your activity collects and where.
- divide data into the categories.
- Identify the legal basis for processing each category of data.
- Request consent, if necessary.
- implement a policy to identify and manage any data access requests.
- implement a policy to identify and manage any request for the deletion or correction of data.
- Create a document of non-conformity issues to show awareness of non-compliance omissions and plan full compliance or at least careful risk mitigation.
- Create a password for all users (personal, website, etc.)
- maintain a register of consents for those who have already joined and those who have yet to do so.
- Create a data retention program. When the data has reached the end of the retention period, destroy it in accordance with a data destruction policy (minimize the data in your possession).
- Involve staff so that ALL understand what personal data is.
- train staff to recognize a violation.
- Make sure the website is HTTPS (design-based security)
- Consider which people should have access to the data on each device
Avv. Sara iacobelli
Avv. Sara Iacobelli