The «General Data Protection Regulation» («GDPR»)
The «General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC» (so called «GDPR») is born with the aim of standardising and homogenising the legislation on data protection in Europe and of enhancing the responsibility of controllers and processors. The key aim is enhancing attention on data protection, with written documentation of procedures, processes, technical and organisational measures put in place to carry out data processing in compliance with the GDPR requirements and obligations. Much has been imported from the previous legislation and a meaningful contribution has been given by the Italian Personal Data Protection Code (so called «Codice Privacy»). Therefore, not everything is completely new and unknown to us.
The key principle is strengthening and keeping a regular and systematic accountability of controllers and processors, demanding to expressly demonstrate that data processing carried out is GDPR compliant. The accountability required is linked to the principle of data protection by design and by default. Applying procedures to meet the GDPR requirements at the time of planning of any activity must become a consolidated practice, like any decision relating to the activity itself. These procedures, which must be appropriately documented, have to be kept updated and checked in their substantial application; they have to be permanent and basic for any operation of processing.
The GDPR demands that the highest management level demonstrates compliance with provisions on data protection, with appropriate procedures able to protect individuals’ rights and freedoms.
A preventative risk analysis for any processing becomes the starting point for assessing the lawful feasibility of any processing and to determine whether and how much the data subject runs the risk to be exposed to breaches of rights and freedoms.
Many obligations are not new at all, but only stressed or refined, pointed out by specific recalls and provisions; others are certainly new.
The GDPR ranges from the principles relating to processing of personal data to the legal basis for processing (lawfulness of processing), from a chart of responsibility inside and outside the organisation of controllers and processors (controller, processor, persons authorised to data processing) to the security of processing, from the data protection impact assessment to data breach, from the appointment of a Data Protection Officer to the keeping of the Records of processing activities. Besides, the GDPR governs how transfer of personal data to third countries or international organisations can be lawfully carried out. Last, but not least, it is important to govern the obligations of information to data subjects and how to allow them to control the processing of their personal data, through the exercise of specific rights, including the right to lodge a complaint with the supervisory authority and the right to compensation for the damage suffered. In order to appropriately face the GDPR requirements, it is fundamental to get to know its key definitions.
The GDPR is a great challenge, we shall see together how to cope with it.