From 25 May 2018 will enter into application the Regulation (EU) 2016 / 679 'General Data Protection Regulation' which regulates, at European level, the processing of personal data.
The free orientation seminar organized last May 3 by ANIMA together with Federmacchine was the occasion to take stock of the situation regarding the fulfilments required by the Regulation.
The Regulation on the protection of personal data is intended as a first important pillar by the European legislator to regulate the vast issue of information security. The Regulation is closely linked to the issue of Information Security, and together with the forthcoming Cyber Security Act, will be important tools to empower both companies operating as Data Processors, and companies in the world of mechanics.
In Italy, it is expected that the Privacy Code - Legislative Decree 196 / 2003 will be repealed, and will be replaced with the relative decree of harmonization issued by the Italian government. The Guarantor for the protection of personal data also confirmed the full applicability of the sanctions provided for by the GDPR Regulation, not providing for exceptions.
Important new feature introduced by the GDPR is the accountability measure of data controllers and data controllers. The Regulation strongly emphasizes the "accountability" of owners and managers - that is, the adoption of proactive behaviors that demonstrate the concrete adoption of measures aimed at ensuring the application of the Regulation.
It follows that the new "criteria" to be used are:
data protection by design which envisages the implementation of any project, service or system (eg website, work environment, software, etc.) considering the confidentiality and protection of personal data from the design stage, considering measures such as pseudonymisation
data protection by default which provides to treat only the necessary data by default (minimization already in the collection phase).
prepare a treatment register: a register of processing operations in order to have an updated picture of existing treatments within a company and indispensable for any risk assessment and analysis. The keeping of the treatment register is not a formal fulfillment but an integral part of a system for the correct management of personal data.
impact assessment on data protection: a procedure to demonstrate compliance with the rules on personal data protection, which aims to describe the treatment and facilitate (through appropriate measures) the management of risks that could undermine the rights and the freedoms of natural persons for whom treatment is being carried out.
Finally, regarding the modalities for the exercise of all the rights by the interested parties among the main novelties:
the cancellation right has been strengthened and extended (right to be forgotten)
the right to data portability has been introduced (Article 20)
it is important to specify the data retention time: it is necessary to specify the expected conservation period or, if this is not possible, the criteria used to define this period.
Lastly, the pecuniary administrative sanctions represent a central element of the new regime introduced by the Regulation to enforce the rules, as they constitute an important component of the set of application tools available to the control authorities. Some of the measures available to the control authorities concern both financial sanctions and corrective measures.
We refer, for further information, to the Guide of the Privacy Guarantor previously made available.