What is GDPR?
The General Data Protection Regulation n.2016/679 (the s.c. GDPR) is a cornerstone of the new legislative framework on data protection
- Data protection requires that appropriate technical and organisational measures should be taken both by controllers and processors.
- GDPR compliance is a complex activity which requires a deep understanding of privacy law as well as market dynamics, processes and businesses;
- Controllers or processors should maintain records of processing activities.
- Controllers or processors should evaluate risks inherent data processing by carrying out a data protection impact assessment (DPIA);
- A personal data breach may results in damages to natural persons, for example: loss of control over personal data, discrimination, identity theft or fraud and financial loss.
, valid for all Member States, concerning personal data and privacy. Adopted and entered into force on 27 April 2016, the sanctioning system is applicable directly from 25 May 2018, after a two-year transition period which allowed Member States and Companies to implement all standards included. Considering its nature of regulation, rather than a Directive, GDPR does not require further legislative steps by Member States to be applicable.
The primary purpose of the new legislation is the protection of people through the protection of their data concerning
, innovating the previous legislation which was drafted at the time when Internet age was not started yet.
With the GDPR, EU has a new set of principles, professional figures and roles on data protection. The Data Protection Officer (DPO)
, which become an integral part of the privacy regulation with its advisory and supervisory role, as well as the EU Representative
, renewing its importance for Data Subject rights and requests. The right to be forgotten
: each data subject has the right to have his/her data retained no longer than it is necessary, coupled with the right to erase data from third parties’ archives upon request. The right to access or data portability
: everyone should be able to easily access to information about itself processed by controller or processors and asks for data transfer between controllers. The right to be informed in case of a severe data breach
: if unauthorized access or disclosure occurs, data subjects must be informed if it results in high risks for their rights. The Privacy by design and privacy by default principle
: GDPR introduced the need for accountability and privacy principles and security compliance during the very first phase of product/service lifecycle, the s.c. design phase, as well as in case of software development or any other tool planning which may involve personal data processing; similarly, minimization principle and respect of GDPR standards are considered to be at the bottom of every process, service or product, and imposed as a default setting for all data processing. The GDPR has changed the way privacy should be included in all processing activities, with a risk management approach
from data subject perspective, asking to perform a data protection impact assessment (DPIA) in case risks is relevant
or new technologies will be involved for the processing of personal data. The sanctioning system has become very strict, providing for offenders fines of up to twenty million euros or 4% of company annual turnover.
In any case, the GDPR should not be seen also as a set of standards to be respected: the right to access, data portability and legitimate interests can foster new business opportunities: for example, small service providers can rely on data subject cooperation to have access to a large amount of information that was exclusive prerogative of a few big players; as a matter of fact, users can ask for easy transfer of their data directly from one provider to another.