Table of Contents
May 25, 2018 is almost here and there are still many Italian and EU companies that have not yet understood the consequences that the General Data Protection Regulation, better known as GDPR. The relevant changes introduced by the new regulation will most likely impact the activities, processes and procedures of any EU company. For this reason, in the hope of being able to help those who are still questioning what are the changes brought by the new legislation and / or how to organize themselves to make their reality compliant with it, it can be useful to provide a summary of the main innovations introduced by the GDPR and propose a task-list – and related action plan – to address the main operations to be carried out in order to avoid being caught unprepared.
Articles, Manuals and Online Resources
Those who missed our previous posts and advices related to GDPR compliance should definitely start with the following:
- GDPR – Free Webinars, Courses, Manuals and Online Resources, a collection of articles, webcasts, webinars, PIA software and other informative and operative resources available for free online so as not to be caught unprepared.
- The free Security of Personal Data Processing Handbook by ENISA.
- The free Privacy and Data Protection for Mobile Devices Handbook, also by ENISA
- The “La Protezione dei Dati è un diritto di Libertà” video released by the Italian Privacy Authority.
- Our very own How to deal with GDPR – Plan, Do, Check, Act guide, featuring a useful summary of the main IT and administrative aspects of the 2016/679 EU regulation and a checklist of things to do to adapt.
- The Privacy & Compliance category, containing all the GDPR-related posts, thoughts and analysis regarding key aspects such as: data mining, profiling, consent acceptance & more.
Once these essential resources have been recovered, all that remains is to go into detail in the regulations.
On 25 May 2018 the provisions of the General Data Protection Regulation (in English GDPR, General Data Protection Regulation), also known as EU Regulation 2016/679, will become applicable. This is a Regulation with which the European Commission intends to strengthen and make more uniform the protection of personal data of citizens of the European Union and of residents of the European Union, both inside and outside the EU borders. The text, published in the Official Journal of the European Union on May 4, 2016 and entered into force on May 25 of the same year, will begin to take effect on May 25, 2018.
The text obliges all data controllers who process data of EU residents to observe and fulfill their obligations. The most important thing to understand about it is that any “local” privacy law already existing within the country will be superseeded, as the EU regulations – in EU countries – come before their internal set of laws. In Italy, for example, the GDPR will replace the Data Protection Directive (officially Directive 95/46 / EC) established in 1995, will repeal the provisions of the code for the protection of personal data (dlgs.n. 196/2003) that they will be incompatible with it.
The GDPR was adopted on 27 April 2016. Its effective application is scheduled for 25 May 2018 after a two-year transition period: unlike a Directive, it does not require any form of application legislation by the member states, therefore it will immediately become executive.
The key points of the GDPR are the following:
- Responsibility, to be intended as Accountability, of those who process personal data: the latter has the obligation to observe the principles applicable to the processing of personal data referred to in Article 5 by fulfilling the relevant obligations and being able to demonstrate it.
- Obligations, articulated along the following lines:
- More stringent requirements for the information to be given to data subjects, which must include the retention time of personal data and provide the contact details of the data controller, as well as the data protection officer.
- Respect for the right to challenge automated decisions, including profiling (Art. 22). EU citizens have the right to challenge decisions that have an impact on them and that have been made on the basis of the results of an algorithm, except in cases where such a decision is not necessary for the conclusion or execution of a contract between interested party and a data controller.
- Obligation to have the authorization of the member state internal law to which the data controller is subject in order to protect the rights, freedom and legitimate interests of the data subject.
- Obligation to acknowledge the explicit consent of the interested party (Art. 4 and Art. 7) for the collection of data and for the purposes for which they are used.
- Obligation to apply the Privacy by Design and Privacy by Default principles (Art. 25), which respectively prescribe that: data protection must be part of the development project of all business processes; that privacy settings needs to be configured on a high level by default.
- Data Security, guaranteed by the data controller and by the data controller called upon to put in place suitable technical and organizational measures to guarantee a level of security appropriate to the risk. To this end, the data controller and the data controller shall ensure that whoever accesses the collected data does so in accordance with the powers conferred by them and after having been specially trained.
- Data Breach (Art. 33 and Art. 34): The data controller will have the legal obligation to disclose data leaks to the national authority and to communicate them within 72 hours from when it came to knowledge.
- Rights of Data Subject to cancellation, limitation and rectification, which replaces the previous right to be forgotten (Art. 17). The data subject has the right to request the deletion of personal data relating to himself on the basis of any of a number of jurisdictions which include non-compliance with Art. 6.1 (legality), which includes case (f) in which the fundamental interests or rights of the data subject requesting their protection shall prevail over the controller’s legitimate interests. The interested party must be able to exercise this right as easily as he has given his consent to the processing of his data. The controller, upon request by the interested party, must inform the interested party of the recipients to whom he has sent his request for cancellation (Art. 19).
- Data Portability: A person must be able to transfer their personal data from one computer system to another without the data controller being able to prevent it. Furthermore, the data must be provided by the controller in a structured and commonly used format (Art. 18).
The regulatory obligations imposed by the GDPR have a considerable impact on most companies and companies operating within the European Union (and not only, as explained in this webcast). Among the main aspects that should be kept in mind we would like to underline the following, too often underestimated by the companies which we used to work for:
- Personal data coming from customers of any kind (companies, public administrations, partner companies, etc.);
- Cash flows and payment data, for companies that deal with online transactions and / or act as a substitute tax for any accounting and / or fiscal reality;
- Attachments, scans and / or other information from your users that contain (or are likely to contain) personal data: identity documents, shipping addresses, payment details, and so on; Attachments and information from their shipping, distribution and distribution networks (if applicable);
- Supplier activities on company systems, with particular regard to SI and ICT areas; storage, protection and encryption of personal, medical and judicial data and documents in electronic format and within the databases relating to the various services; ICT communication protocols (HTTP / HTTPS, FTP / FTPS, VPN, Networking et al.); archiving of company e-mails and PECs relating to customers, suppliers, users and employees; and so on.
- Personal data flowing to and from customers, with particular regard to activities that entail particular obligations with respect to the Revenue Agency and / or the Tax Registry: I refer in particular to what is required by the recent regulations for the tax payment and then to the tracks that are required to send insurers and reinsurers annually, as well as funds, funds, brokers and other entities operating in the insurance sector, but the speech also extends to all professional orders, hospital facilities, local health companies (ASL) and so on;
- Profiling & analysis tools of any kind installed and / or implemented within the company’s own website and / or its own applications which provide for online access, with special regard to the so-called ‘reserved areas’ (accessible through credentials);
- All the aspects described above for which the company performs or plans to perform the role of Data Processor, according to the procedures described in the previous paragraph.
Now that we have identified the main areas of intervention, all that remains is to establish an adequate line of action. In order to better address the many changes that are necessary, it is advisable to arrange the establishment of a dedicated Task Force for the GDPR compliance coordinated by a team composed of the following professional figures:
- Company officers / managers who perform tasks similar to the activities to be carried out, who have been entrusted with the task of planning the adaptation activities (ICT Manager), after being included in a specific training program (ICT security, privacy officer).
- Employees with specific skills in management engineering, process analysis and management control, after being included in a specific training program (privacy officer).
- Third-party experts who are able to provide specific advice in the field of GDPR and Privacy, if the company does not have such skills.
In very short terms, the GDPR Task Force should do the following:
- Collect all the necessary information on the impacts of the regulation on company activities through specific strategic planning tools (SWOT analysis, gap analysis, CSF).
- Set up an appropriate action plan.
Regarding the action plan, we strongly recommend to stick to the ISO 9001:2015 processes guidelines, which follows the PDCA framework iterative steps (Plan – Do – Check – Act):
- Planning of activities to be carried out in any relevant field: administrative, business units, ICT, data processing and more.
- Communication and Training to colleagues and employees on the main elements of the analysis carried out.
- Production of the required documents: Privacy Manual, Registry of Processing Activities, Risk Assessment Privacy, Privacy Impact Assessment on the various types of treatment, any new information, changes to the contract et al.
- Implementation of the new requirements within the business processes, with particular regard to those that impact the activities of Business Units, Information Systems and ICT.
- Analysis of all the business processes to ensure that the principles of Privacy by Design and Privacy by Default, as well as the obligations envisaged in terms of rights, security, violation, deletion and portability of data are appropriately documented.
- Review of all procedures, processes, software, systems and storage tools in line with the outputs resulting from the analysis activities performed.
These activities require several weeks of work and need to be carried out with the collaboration and active involvement of the resources present in the various key areas of the company, with particular regard to the legal office (if any), to the administration, accounting, HR areas. , IT, Compliance, Logistics and general services, without forgetting the specific activities carried out by the Management. If you have yet to start, you are already late … so do not waste any more time and get to work!
That’s it, at least for now: we sincerely hope that this brief overview can provide valuable help to those, like us, will be called to coordinate this historic adjustment path for their company and / or their customers. Good work and … good luck!