The news and the impact on companies since Privacy Day, in particular, from the speeches of members of the Privacy Authority, the need to implement the already applicable compliance measures was unequivocal. First and foremost, the adoption of technical and organizational measures to ensure a level of security appropriate to the risk, including in view of the notification and reporting obligations resulting from a Data Breach which, we would like to remind you, will affect all Holders.
The effective date was May 25, 2016, and its implementation was for May 24, 2018, but to this day, changes and corrective actions are absolutely a matter of updating and correction. Here is an overview of the most important practices and possible pitfalls:
ACCOUNTABILITY
The dominant principle of the legislation. the company must always be able to demonstrate compliance with the regulation through ex ante forms of assurance. Corporate empowerment is total and proactive. It will require not only the adoption of technical measures but, more importantly, the preparation of internal policies to ensure compliance by employees.
DATA BREACH
Companies will have to notify the supervisory authority of violations within 72 hours and, in the most serious cases, inform the data subjects affected by the violation.
RIGHTS OF INTERESTED PARTIES
have been enhanced (right to be forgotten, restriction of processing, etc.) it will be necessary to pay close attention to requests from any source, in particular, it will be necessary to instruct one’s employees to recognize the forms in which data subjects can exercise their rights.
REINTRODUCTION OF THE OBLIGATION TO EDUCATE/TRAIN PEOPLE
All persons in charge of data processing Articles 29 and 32.
SECURITY OF TREATMENT
All companies will need to conduct an analysis of impending data risks in order to put in place the appropriate technical and organizational measures (policies) to lower the level of risk detected.
DATA PROTECTION IMPACT ASSESSMENT
A specific ex ante analysis is requested on the treatments specified in Art. 35.
PENALTIES OF UP TO 20,000,000 OR FOR ENTERPRISES UP TO 4 PERCENT OF WORLDWIDE TURNOVER
For the first time, provision is also made for violation of basic processing principles such as lawfulness, fairness, transparency, stated purpose, appropriateness, relevance, conditions for consent, and processing of sensitive data.
CONFORMITY.
There are many points for which in-depth monitoring, timely analysis and many audits need to be completed in order to achieve compliance with the dictates of the GDPR, and to avoid running into fines from the regulatory authority.
A thorough audit in line with iso 19011 and the guarantor’s orders and guidelines is recommended to verify whether the requirements have been met.
Below is a brief list of the requirements that it is essential to have fulfilled:
WEBSITE.
Must be in compliance, each data collection form must have a specific disclosure with exact consent requests. Browsing data must also have the disclosure (site disclosure). There is a need for cookie management in line with what was enunciated by the Garante in the May 8, 2014 order. The Privacy Guarantor almost daily issues sanctions on sites.
INFORMATIVE
The importance of understanding that the mandatory content declined in Art. 13 is inescapable, but it is equally important to know what information is to be used and how to do it. Evolving legislation has allowed for simplification of the methodology of communication with the data subject.
CHECKS – ART. 4 STATUTE OF WORKERS (reformed by the Job Act)
Provides that in order to carry out checks on work tools, the worker must be informed and instructed in advance on how to carry them out and the consequences. To be compliant, it is necessary to adopt policies in line with the Privacy Code as expressly stipulated in Art. 4.
MARKETING, VIDEO SURVEILLANCE, GEOLOCATION, BIOMETRICS, CLOUD
They provide for various specific fulfillments (notifications, appointments, …) indicated in the Guarantor’s orders dedicated to the subject.
SECURITY MEASURES
What is stipulated in all. B and by subsequent measures (system administrator, internet and e-mail, etc.) must absolutely be achieved. Data security is the first point of compliance for the current legislation and the European Regulation. Not only cybersecurity of data but also of processing achievable through policy and training.
APPOINTMENTS TO APPOINTEES
The Guarantor, through the Guardia di Finanza, has often raised penalties for failure to make specific appointments to appointees.
EXTERNAL DATA PROCESSING
Current legislation and even more so European legislation oblige us to regulate our relationships with those to whom we entrust data processing. Regulations require the appointment of external managers.