12 APR 2018

GDPR: what it is, what it regulates, how to conform to it

The GDPR (General Data Protection Regulation) is the New General Regulation on Data Protection (better known as GDPR or EU Regulation 2016/679), issued by the EU. It became effective on 24 May 2016 and it will be enforceable starting from 25 May 2018 with a legislative decree that harmonizes national legislation with community regulation and at the same time replaces the 1995 Data Protection Directive (Directive 95/46/EC).


GDPR regulation, what are the changes?

The principal new issue introduced by the Regulation consists in strengthening the principle of empowerment of owners and managers who are responsible for the processing of personal data. The responsible parties must take on a proactive attitude to demonstrate the adoption of suitable technical and organizational measures to correctly apply the Regulation to the collection and processing of personal data. A risk-based approach is introduced in the evaluation of the processing of personal data that may entail a high risk for “the rights and freedoms of data subject”.


GDPR for companies, what are the changes in Italy for companies and for online activities

Among the measures introduced or confirmed for companies and public administrations we must underline:

  • The suggestion to have a “Procedures Register”;
  • The designation of a “Data Protection Officer”;
  • The suggestion to have a register of the DPIA, that is impact assessments on data protection (a precise privacy risk analysis).

The Regulation and subsequent clarifications of the Italian Guarantor have outlined when and in which contexts these measures are to be considered mandatory, reiterating, once again, how the ultimate responsibility falls on the managers of the procedures.

The good practices of a careful governance of its processes suggest, however, at least the keeping of the treatment register which is the basis on which to then build all the activities of protection of personal data in the company. This governance can then be strengthened with careful integration with an Information Security Management System (ISMS) also certified according to ISO27001.

Good procedures of an administration attentive to its processes suggest, however, keeping the Process Register which is the basis on which the company can build all protection activities of personal data. In addition, this administration can be strengthened with careful integration of an Information Security Management System (ISMS) certified in accordance with ISO27001.


GDPR for companies, what are risks and penalties in case of negligence or violation

The owner of the processing of personal data is required to pay compensation in the event of violation of the Regulation as well as the person responsible for the damage caused by the process only if he has not fulfilled the obligations of the regulation or has violated the legitimate instructions of the holder. The burden of proof is borne by the owner and manager, as well as the burden of assessing the need and any methods of communication to the interested parties of the violation of their personal data processed. In terms of penalties, these are set at a limit of € 20,000,000 or 4% of the annual world turnover for the previous year in addition to the limitation or blocking of process.


GDPR, address to qualified professionals: Consulthink consultancy service

Consulthink works together with its customers, private companies and public administrations, offering them consultancy services, with in depth knowledge of the Regulations and the business domain which contextualize it.

Elaborated by Lucia D’Adamo, in collaboration with Daniele Paiella, supervised by Marco Pirrone