On May 25th, 2018 the new EU regulation on data privacy, applicable to all EU Member States, will enter into force. No need to apply internal compliance measures.
To put it in a nutshell, the GDPR – General Data Protection Regulation – obliges companies to assume greater responsibilities for users’ data collected in order to protect them to the full.
The main aim of the European legislator is to create a single data protection regime, which affects businesses operating both in and outside the EU.
WHAT ARE THE MOST SIGNIFICANT NEWS?
Privacy note and consent
The current discipline, informing the user about the purposes and methods of personal data processing, is more a bureaucratic document, full of legislative references. Thus, the user is discouraged from reading and, consequently, the information is lost.
With regard to the consent for data processing, the new EU Regulation provides that consent can be expressed by users in two ways: explicitly or through positive actions. This news will encourage companies to collect data, which will be released more consciously by the individual concerned.
The GDPR defines profiling in Article 4 as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
In case of profiling, companies must specify this type of activity in the note and they are required to ask for an explicit consent. Therefore, consent for positive actions will not be sufficient.
DPO – Data Protection Officer
The GDPR has introduced a new figure, the Data Protection Officer, an internal supervisor that serves as the point of contact between the company and the national Supervisory Authority. The DPO must have expert knowledge of data protection law and practices and can be an existing employee or externally appointed.
The appointment of a DPO is only mandatory only in three situations:
- When the organisation is a public authority or body;
- When the organization processes or stores large amounts of personal data;
- When the organisation’s core activities consist of a systematic monitoring of data subjects.
The GDPR imposes hefty fines on companies for non-compliance. For example, if a company does not report data security breaches within 72 hours, it will have to pay a fine.
Sanctions will be potentially very high, up to €20 million, or 4% annual global turnover. They depend on the nature and gravity of the infringement.
What happens to the already collected data ?
In order to regularise databases including data acquired in compliance with the old regulations, companies must submit them to a verification process. In this way, you will have the certainty that the data can be used without the risk of incurring hefty penalties, resulting from an infringement of the GDPR.