HOW TO IMPLEMENT THE NEW GDPR REGULATIONS

  • Team DGTHUB
  • 30 December 2019

The goal of this regulation is to guarantee European citizens and consumers the control of their personal data. In fact, data is increasingly used by companies in an improper way or not sufficiently protected from possible cyber attacks.

What is GDPR ?

For a few years now everyone has been talking about GDPR (Global Data Protection Regulation) . However the European legislation drawn up by the European Privacy Guarantor, approved officially for EU countries on April 27, 2016 and became Law on May 25, 2018 . But what exactly is it and which companies need to have it?

Companies had the obligation to regulate company data in compliance with Privacy Policy even before the enactment of the Law 2016/679, known as GDPR. But this new law and the sanctions it provides have placed a very clear focus on the issue, forcing companies to take seriously this issue.

Which companies have the obligation to implement the GDPR legislation?

This legislation concerns all companies in possession of European customer data, regardless of their registered office. If, for example, the company has its registered office in Switzerland, but it processes data of European citizens, the GDPR must be equally applied. The adjustment includes the regulation of all data flows, the drafting of the treatment register, the information and the drafting of a company manual.

Is the appointment of the DPO mandatory?

The DPO, or Data Protection Officer , was born from the evolution of the Privacy Officer. The DPO is an expert figure in the field of privacy and data who supports the company owner in the regulation of company data. The role of the DPO is key: it checks that the legislation is applied and respected. It must have adequate knowledge of the regulations and practices of managing personal data. It must fulfill its functions in full autonomy and independence, and in the absence of conflicts of interest . For this reason, a person who is at the top of the company, able to influence the choices made regarding data processing, cannot hold this position.

The role of the DPO can be entrusted to an employee of the company but also outsourced to a service provider. The advantage of entrusting it to an external consultant is multiple. The outsourced DPO will be constantly updated on regulatory developments and will be able to offer valid support to the owner and collaborators in applying the law.

Why outsource the DPO?

Many companies decide to equip themselves with an external DPO, in order to:

  1. guarantee the correct respect of the legislation and not risk incurring onerous penalties, which go up to 4% of the turnover.
  2. to have a dedicated team available of IT, lawyers and project managers constantly updated on the legislation and its evolutions.
  3. to guarantee the drafting of the formal documents required by the law , to be submitted for all companies in case of control by the Privacy Guarantor.

New checks and penalties by the Privacy Guarantor

The portions for companies that do not comply with the legislation and demonstrate that they have not taken over the business, can reach up to 4% of annual turnover. Starting from September 2019 the controls by the Privacy Guarantor have increased, they have focused in particular on:

  • Treatments carried out by ISTAT
  • Personal data treatments carried out for the release of the federated identity
  • Personal data processing carried out by banking institutions
  • Processing of personal data carried out by companies for marketing activities
  • Personal data processing carried out by banking institutions
  • Personal data processing carried out by companies with particular reference to the profiling activity of the interested parties adhering to loyalty cards

Has your company not yet complied with GDPR legislation? Fill in the QUESTIONNAIRE , our Privacy Team will contact you to arrange a meeting.

Leave a comment

Your email address will not be published. Required fields are marked *