What is GDPR?


  • Data protection requires that appropriate technical and organisational measures should be taken both by controllers and processors.
  • GDPR compliance is a complex activity which requires a deep understanding of privacy law as well as market dynamics, processes and businesses;
  • Controllers or processors should maintain records of processing activities.
  • Controllers or processors should evaluate risks inherent data processing by carrying out a data protection impact assessment (DPIA);
  • A personal data breach may results in damages to natural persons, for example: loss of control over personal data, discrimination, identity theft or fraud and financial loss.
The General Data Protection Regulation n.2016/679 (the s.c. GDPR) is a cornerstone of the new legislative framework on data protection, valid for all Member States, concerning personal data and privacy. Adopted and entered into force on 27 April 2016, the sanctioning system is applicable directly from 25 May 2018, after a two-year transition period which allowed Member States and Companies to implement all standards included. Considering its nature of regulation, rather than a Directive, GDPR does not require further legislative steps by Member States to be applicable.
The primary purpose of the new legislation is the protection of people through the protection of their data concerning, innovating the previous legislation which was drafted at the time when Internet age was not started yet.
With the GDPR, EU has a new set of principles, professional figures and roles on data protection. The Data Protection Officer (DPO), which become an integral part of the privacy regulation with its advisory and supervisory role, as well as the EU Representative, renewing its importance for Data Subject rights and requests. The right to be forgotten: each data subject has the right to have his/her data retained no longer than it is necessary, coupled with the right to erase data from third parties’ archives upon request. The right to access or data portability: everyone should be able to easily access to information about itself processed by controller or processors and asks for data transfer between controllers. The right to be informed in case of a severe data breach: if unauthorized access or disclosure occurs, data subjects must be informed if it results in high risks for their rights.
The Privacy by design and privacy by default principle: GDPR introduced the need for accountability and privacy principles and security compliance during the very first phase of product/service lifecycle, the s.c. design phase, as well as in case of software development or any other tool planning which may involve personal data processing; similarly, minimization principle and respect of GDPR standards are considered to be at the bottom of every process, service or product, and imposed as a default setting for all data processing.
The GDPR has changed the way privacy should be included in all processing activities, with a risk management approach from data subject perspective, asking to perform a data protection impact assessment (DPIA) in case risks is relevant or new technologies will be involved for the processing of personal data. The sanctioning system has become very strict, providing for offenders fines of up to twenty million euros or 4% of company annual turnover. In any case, the GDPR should not be seen also as a set of standards to be respected: the right to access, data portability and legitimate interests can foster new business opportunities: for example, small service providers can rely on data subject cooperation to have access to a large amount of information that was exclusive prerogative of a few big players; as a matter of fact, users can ask for easy transfer of their data directly from one provider to another.

Privacy-by-deafult and privacy-by-design


  • When developing or designing applications, services and products that process personal data to fulfil their task, producers should be encouraged to take into account the right to data protection, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations;
  • Protection of the rights and freedoms of data subjects, as well as responsibility and liability of controllers and processors, requires a clear allocation of the responsibilities among actors of processing activities;
  • Where controllers or processors not established in the European Union process personal data of data subjects who are in the EU, there should be, by default, an EU representative;
  • When entrusting processors with processing activities, controllers should seek sufficient guarantees to implement technical and organisational measures which will meet the requirements of the GDPR;
  • In order to demonstrate compliance with the GDPR, Controllers or processors should maintain records of processing activities under their responsibility and be obliged to cooperate with the supervisory authority upon request, supported by the role of DPO and EU Representative
  • In order to maintain security and to prevent processing in infringement of the GDPR, controllers or processors should evaluate the risks inherent in the processing and implement measures to mitigate those risks, also thanks to a data protection impact assessment (DPIA), possibly coordinated by a DPO.
The new European legal framework on data protection, implemented with the GDPR, establishes and introduces two new principles, which the Regulation itself, in its Art. 25, intends as similar but different concepts at the same time: "data protection by design and by default".
Since the entry into force of the GDPR, any project (understood in an extremely broad sense) involving personal data, must be carried out, possibly with the supervision of the Data Protection Officer (DPO), considering from its origin / design (note privacy by design) the confidentiality and protection of personal data as an essential element. The Privacy-by-Design principle concerns a wide area of application, that ranges from IT systems to business practices and is based on a preventive concept of data protection which must be provided since from the design phase of new products or services. In a nutshell, this is a methodological approach aimed at ensuring that its functionality is completely independent by individual platforms, applications or market segments. But, in practice, the subject required to apply these two key principles of the new system introduced with the GDPR is the data controller, which is asked to put in practice adequate technical and organizational measures in order to prevent possible violations. Such measures can be: pseudonymization, minimization of data collected or processed, the adoption of appropriate Cyber ​​Security measures, as well as integrating all necessary guarantees for the full protection of the rights of the interested parties during the process of personal data. Of course, during the design phase of a new product or service, the Data Protection Officer (DPO) can be consulted, so as to identify, for example, most suitable measures compliant with the Regulation.
Finally, the protection of the rights and freedoms of natural persons with regard to the processing of personal data always require that appropriate technical and organisational measures should be taken to ensure that the requirements of the GDPR are met. Therefore the controller or processor is asked to demonstrate such compliance, for example adopting internal policies and implementing measures able to minimising and/or pseudonymising processing of personal data, to increase transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing.


Discover more!

Contact us and try our online self-assessment to find out if the European Regulation on Personal Data (GDPR) applies to your organization!



* These fields are required.