We are now less than a year away from the effective implementation of the General Data Protection Regulation (GDPR), which is intended to replace the 1995 Data Protection Directive. Companies will have until May 25, 2018 to regularize, exceeded this date the anomalies found will lead to fines of up to 20 million euros, or 4% of turnover.

Crucially, the European data protection rules will apply to all companies – whether based inside or outside the EU – that handle personal data of European residents, and these rules will apply to both data controllers and data controllers. The only activities immune to the regulation will be those authorized to handle personal data for reasons of national security or public policy.

The GDPR requires that documented internal risk impact analyses be conducted and implemented based on the infrastructure and tools used. For the latter, according to Article 25, the principle of “privacy by design and privacy by default” is expected to apply, which imposes the obligation to start a project by providing, from the outset, the tools to protect personal data.

Companies will need to demonstrate that they can comply with the new regulations, and they should employ robust safeguards to limit the risks as much as possible. Each company will also need to appoint a Data Protection Officer for each plant within its workforce; an individual with a good knowledge of information systems, security, cyber attack management and other elements of business consistency aimed at sustaining and processing personal and sensitive data. The GDPR requires that before the authority you know how to answer questions pertaining to the location of the data held, how it was tracked, and what risk assessment was done. In the event that a data breach occurs, the national supervisory authority must be notified within 72 hours, and the company that owns the data will be required to explain and document how it intends to act.

Under the new regulation, every EU citizen is provided easy access to information about their personal data and how it is processed and used. The regulation also requires that the consent to the processing of the same is valid, explicit and can be revoked. Another novelty introduced by the GDPR is the right to the deletion of one’s own data and the transferability of the same from one electronic processing system to another, even outside the EU.


Marcello Argenti