The GDPR: what it is, to whom it applies, guidelines
This is the first of a series of posts related to the Data Protection Regulation that will allow us to deepen more and more the matter and give practical advice and solutions to be adopted to meet the requirements.
The GDPR is a vast and complex matter that touches various key points of the company.
Juggling the various articles and concretely understanding what needs to be done to comply is complicated, especially for those companies that can hardly distract attention from their business objectives.
What’s GDPR?
With GDPR, acronym for General Data Protection Regulation, we mean the EU Regulation 2016/679 which entered into force on May 24 and directly applicable from May 25, 2018, the deadline for adapting to the principles
The entire GDPR legislation is based on two important guidelines: strengthening the concept of accountability and the resulting duties for the Data Controller and strengthening the rights of the data subject.
The Data Controller, therefore, must adapt to the principles of the Regulation, putting in place technical and organizational measures to prove their adaptation and ensure their maintenance.
To comply with the obligations of the GDPR, two elements are necessary:
- Privacy by design → already in the planning phase of the information systems and the means for processing, the appropriate technical and organizational measures must be designated
- Privacy by default → The data controller implements appropriate technical and organizational measures to ensure that, by default, personal data are not made accessible to an indefinite number of natural persons without the intervention of the natural person.
The guiding principles of the GDPR
In addition to the cardinal principle of empowerment, the following key points are worth mentioning:
- Lawfulness, fairness and transparency → personal data are processed lawfully, correctly and transparently towards the interested party
- Data minimization →personal data must be adequate, relevant and limited to what is necessary with respect to the purposes
- Accuracy → personal data must be accurate and, if necessary, updated; all reasonable steps must be taken to promptly delete or correct inaccurate data
- Limitation of retention → personal data must be stored in a form that allows the identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed
- Integrity and confidentiality → personal data must be processed in such a way as to ensure adequate security of personal data, including protection from accidental destruction or damage.
Who must comply with the GDPR
A chi si applica il GDPR? This Regulation involves all European companies that manage personal data in various ways; in particular:
It applies to the processing of personal data carried out as part of the activities of an establishment by a data controller or a data processor in the Union, regardless of whether the processing is carried out in the Union or not. (art.3)
Therefore, all activities of an exclusively personal or domestic nature and therefore without a connection with a commercial or professional activity are not included in the topic.
The rights of the interested party
While the obligations for the Data Controllers are listed, on the other, rights are drawn up in favor of the data subject. Among these:
- Information on the treatment. The information relating to the processing must be presented in a concise, transparent, intelligible and easily accessible form, in simple and clear language. The interested party has the right to be informed on the purpose of the processing, on any recipients / users of the data, on the data retention period, on how to request rectification or cancellation
- Right of access. The interested party has the right to obtain from the data controller confirmation as to whether or not personal data concerning him is being processed
- Right of rectification and cancellation (or right to be forgotten). The interested party has the right to obtain from the data controller the correction or deletion of inaccurate personal data concerning him without undue delay
- Right to data portability. The interested party has the right to receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him provided to a data controller and has the right to transmit such data to another data controller without impediments
- Right to object. The interested party has the right to object at any time, for reasons related to his particular situation, to the processing of personal data
A new figure: the DPO
The Regulation introduces a new figure, the DPO, or the Data Protection Officer.
What is the role of the DPO?
The DPO, first of all, can be an employee or an external consultant. As its name already says, it is the Data Protection Officer (different from the Data Processor or Data Controller).
What are its duties?
- Inform and advise the data controller or data processor as well as the employees who carry out the processing regarding the obligations deriving from the GDPR
- Supervise compliance with the GDPR, including the attribution of responsibilities, awareness and training of staff participating in the processing and related control activities
- Serve as a point of contact for the supervisory authority
Tools to ensure the security of personal data
The data controller and the data processor must put in place technical and organizational measures useful to guarantee a level of security appropriate to the risk, which include, by way of example only,
- pseudonymisation and encryption of personal data
- the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services on a permanent basis;
- the ability to promptly restore the availability and access of personal data in the event of a physical or technical accident;
- a procedure for testing, verifying and regularly evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.
In assessing the adequate level of security, particular account is taken of the risks arising in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to transmitted personal data, stored or otherwise processed.
Inventory of technological assets (or “asset inventory”)
A specific post will be reserved on this issue, going a little more into the practical aspects of what companies need to do concretely.
Among the practical actions to be taken to meet the requirements of the GDPR, the Asset Inventory (or inventory of technological assets) is important.
The inventory of technological assets serves to have a complete overview of all the elements that make up the system, including those in charge of security and information management. Some of the elements to be surveyed:
- Devices:Computers, servers, tablets, network devices but also IP cameras, door openers, presence detection systems, …
- Software:Software equipment of the devices on the network and detailed information about them.
- Archives: Databases, file shares
- Users:List of users who have the right to access devices and software in the company
The Asset Inventory is the intermediate step between the preparation of the treatment register and the information system. Through the Register of treatments, the managers of the company draw up a list of all the applications used for the treatment. The Register can be either in written or electronic format and represents a constantly updated census of the data processed, of the archives, of the categories of interested parties. To this is added the Asset Inventory, the inventory of all the technological assets present in the company.ò
What is the data breach and what does it entail
What happens in the event of a personal data breach (also called Data Breach)?
In the event of a personal data breach, the data controller must notify the breach to the competent supervisory authority without undue delay and, where possible, within 72 hours of becoming aware of it, unless it is unlikely that the breach of personal data presents a risk to the rights and freedoms of individuals.
The notification must have the following characteristics:
- Describe the nature of the personal data breach including;
- Communicate the name and contact details of the data protection officer or other contact point from which to obtain more information;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be adopted by the data controller to remedy the violation of personal data and also, where appropriate, to mitigate any possible negative effects.