More than two years have passed since Regulation EU 679/2016, the General Data Protection Regulation (or GDPR for short), came into effect and organisations cannot ignore the importance of constantly adapting and updating their internal processes to ensure compliance with the requirements of the GDPR.
Central to the Regulation is the protection of the data subject, which obliges organisations to adapt both internally and towards the outside world. This is not merely a bureaucratic requirement, the presence of a Privacy Organisational Model that is fit for current and future challenges provides concrete proof to stakeholders and to the market of the organisation’s professional competence, commitment and quality. Compliance in the framework of personal data protection is a significant competitive advantage that allows any organisation that approaches and meets this challenge appropriately to stand out among its competitors, even in the most saturated of markets.
Although the Regulation does not alter the guidelines established by EC Directive 95/46 on the protection of personal data, it introduces important new features and clearer rules on information and consent, it defines restrictions on the automated processing of personal data, it lays the foundation for new rights to be exercised (the right to be forgotten and the right to data portability), it establishes strict criteria for the transfer of data outside the EU, and for the procedures in the event of a breach of personal data (data breach). Moreover, the concept of “accountability” is introduced as well as the figure of the Data Protection Officer (DPO).
Looking in more detail at the changes introduced by the GDPR, it is important to highlight that:
- The privacy policy makes the data subject aware of how personal data are collected and processed, it is one of the cornerstones of the GDPR. The need to duly notify data subjects highlights the key concept of transparency in the processing of personal data and the importance of making it possible for data subjects to exercise their rights. The privacy policy must be carefully drafted and kept up-to-date so organisations can go about their business while remaining fully compliant with the GDPR.
- The data subject’s consent must be obtained in advance and be unequivocal, even when it is granted by electronic means and, in the case of special categories of personal data (sometimes called sensitive data), consent must always be granted explicitly, since implied consent is not permitted under any circumstances.
- The risk of a Data Breach should never be taken lightly. In the event of a breach of personal data, the organisation has a series of obligations and it must be ready to respond quickly should a security incident occur: procedures to handle the breach are required, together with event reporting processes, to enable the organisation to communicate the occurrence of a personal data breach in a clear, simple and immediate manner to the Supervisory Authority for the protection of personal data and, if the data breach represents a threat to the rights and freedoms of individuals, the data subjects involved also need to be informed.
- The concept of accountability refers to the need for organisations to take responsibility for adopting approaches and policies that take the risk that processing personal data may entail for the rights and freedoms of data subjects into constant account, through compliance with the principles of “privacy by design” and “privacy by default”, in order to ensure data protection starting from the conception and design phase of a processing operation. All organisations must ensure they acts in compliance with the principles of minimisation, transparency, lawfulness, fairness, necessity, accuracy, relevance, storage limitation and adequate security of the processing operations, so as to reduce the risks associated with handling and processing personal data.
- The Data Protection Officer(DPO) is a new figure introduced with the GDPR, who is in charge of ensuring the correct, responsible management of data processing within organisations.
Activities
Building a better company, together
With a view to ensuring that every organisation achieves the highest level of compliance with the new legislation on the processing of personal data, Gruppo PLS draws on the multidisciplinary experience of its consultants to offer its clients concrete support in tackling and managing the most important privacy issues related to the processing of personal data.
It is essential for companies to develop a structured Privacy system in order to manage their activities correctly, and also to avoid facing penalties for breaching the regulations.
Data Protector Officer (DPO)
The person who takes on this role must have a proven knowledge of the GDPR and the company’s privacy policies, in some cases it is also necessary to have appropriate expertise in terms of IT and other technical aspects. The DPO is appointed by means of formal nomination by the Data Controller and acts in a completely independent manner, with no conflicts of interest.
Main duties
- Advises the Data Controller and the Data Processor on the obligations arising from the privacy legislation at European level
- Supervises the application of applicable legislation in company procedures, specifically the allocation of responsibilities, raising awareness and staff training
- Gives legal advice on the Data Protection Impact Assessment (Risk Assessment)
- It is the link between the Supervisory Authority and the Data Controller, between the data subjects and the Data Controller.
Compliancy with legislation on the protection of personal data does not simply mean acknowledging the existence of the relative regulations, it also means designing and planning the organisation of company operations from a “privacy oriented” perspective. In order to comply with the GDPR, it is therefore necessary to have an organisational and documentary system that is structured to ensure compliance with the principle of accountability, both within the organisation and towards the outside world.
Gruppo PLS places its consultants at the service of the client, providing multidisciplinary support in the preparation of the necessary documentation to ensure full compliance with the legal and regulatory requirements for data processing operations. Key documents include the following, by way of example:
- privacy policies and notices for the various different data subjects
- the Data Processing Register
- internal procedures and company guidelines on matters related to personal data protection
- a structured Privacy Organisational Chart specific to the company and the related internal appointments
- the nomination of External Data Processors.
PLS also undertakes to provide constant support in updating the documentation produced, including any amendments in the light of changes in the interpretation or in legislation regarding the processing of personal data.