Index:
- What is GDPR
- What is Personal Data
- Who is the Data Controller
- Who is the Data Protection Officer
- What the Data Controller must do
- What a website owner must do
- To whom the GDPR is addressed
- To whom the GDPR is NOT addressed
- What penalties are incurred by those who do not comply with the regulation?
- Conclusions
On 27 April 2016, the new Regulation 2016/679, better known as GDPR, which stands for General Data Protection Regulation, was enacted. It will be applied as of 25 May 2018 and will address the concern about the use of personal data and its confidentiality.
The new regulation is not only addressed to European countries, but also to all those companies or organisations, which use the personal data of individuals who are citizens of the European Union.
It is important to clarify that this article is not intended to replace the advice of a legal expert and the official regulation, but has been written to summarise just the basic points contained in the regulation that anyone can use as a practical guide to comply with their organisation’s privacy policy.
What is GDPR
The GDPR – REGULATION (EU) 2016/679 – is the official regulation issued by the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC i.e. the General Data Protection Regulation.
What are personal data
Personal data are all those pieces of information that can directly or indirectly identify a natural person such as a name, identification number, location data, an online identifier, characteristic elements of that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Who is the data controller?
The natural or legal person, public authority, service or other body that determines why and how personal data is processed.
In the context of a website, the personal data controller is the owner of the company that requests consent to use the personal data of its users to send e-mails for commercial or advertising purposes.
Who is the Data Protection Officer
The natural or legal person, public authority, service that uses personal data on behalf of the controller.
The controller could be, for example, the marketing agency that uses the personal data it has contracted with the controller to implement a corporate marketing plan.
What the data controller must do
A company’s data controller is obliged to analyse the type of data collected and how it is processed in relation to the company’s structure.
Here is a summary of the list of obligations that the data controller should comply with in order to comply with the GDPR:
- Make a full assessment of the processing operations and related risks, reviewing the old Security Policy Document (so-called DPS) originally envisaged by Legislative Decree 196/2003 and, where prepared, the organisational model pursuant to Legislative Decree 231/2001, and draw up the Processing Register. All companies with more than 250 employees are obliged to draw up the Processing Register, regardless of the type of data processed and the purpose of processing. Businesses with fewer than 250 employees must draw up the Register of Processing Operations only if the processing operations they carry out present a risk for the rights and freedoms of the data subject, are not occasional or include the processing of so-called ‘sensitive’ or personal data relating to criminal convictions and offences under Article 10
- Check the notices and consents already used and, if necessary, update them and send them again to those whose data is stored
- Define the persons in charge of the data: the Data Controller, the Data Processors, the Data Protection Officer, in case it is necessary in relation to the type of data and the processing methodology
- Check and ensure that adequate security measures have been put in place/arranged, both physical (accessibility to premises and archives where data are stored, alarm systems, surveillance, etc.) and digital (antivirus, firewalls, data encryption, etc.)
- Check the contracts signed with the Data Processors and sign the contract with the Data Protection Officer, if appointed
- Check the extent of its insurance cover to the case of damage caused by loss, misappropriation or manipulation of data
- Adopt procedures in the event of data loss, portability and deletion requests from affected users, which are to be fulfilled within 30 days of the request’s arrival, as well as set up templates for notifying the Supervisory Authority in the event of data loss or misappropriation
- Carry out a data protection impact assessment under Art. 35 when the processing of data, through the use of new technologies, may present a high risk for the rights and freedoms of individuals (processing of sensitive data for large-scale surveillance, profiling, etc.).
What a website owner must do
The owner of a website must ensure simple, secure and transparent navigation that respects every right of its visitors.
Let us see by points the fulfilments that a website owner should perform:
- Be familiar with any technology used to process personal data within the website
- Ask for and obtain voluntary consent from its users before processing any data provided
- Offer users in a simple and transparent manner all information regarding the purpose of data collection and the time of storage of such data
- Offer the user the possibility of revoking any consent previously given
- Be aware of what data is given to third parties, where it is sent and why
- Guarantee the right of its customers to transfer their personal data. This means that you must, if requested, send your personal data to the recipient in a readable format (CSV format), thus making it easier for them to transfer their data to other providers.
To whom the GDPR is addressed
The regulation is aimed at all companies or organisations (EU and non-EU) that manage, store or use the personal data of individuals who are EU citizens.
The GDPR is aimed at both data controllers and data processors, so it is important to re-examine your contracts with external providers that store, manage or use your customers’ personal data, paying more attention to those that reside outside the EU.
Examples of web processors could be hosting providers, e-mail marketing platforms or even marketing and advertising agencies.
To whom the GDPR is NOT addressed
The regulation does not apply to a natural person who uses the personal data of another natural person for exclusively personal or domestic purposes.
What sanctions do those who do not comply with the regulations face?
This time the penalties for data controllers and processors are very substantial.
For ‘minor’ violations, we are talking about fines of up to €10 million, or for companies, up to 2% of the previous year’s total annual worldwide turnover, whichever is higher; for ‘major’ violations, we are talking about fines of up to €20 million or up to 4% of the previous year’s total annual worldwide turnover, whichever is higher.
Conclusions
In short, to sum up a bit, my advice, which is in no way a substitute for that of a legal figure, is to re-evaluate all the systems you use to collect and manipulate personal data, check the consents you have received and eliminate all those data that have been collected without consent, and to bring your website into compliance with the new regulation by 25 May 2018.
Finally, I recommend downloading the official Regulation from this link and seeking the advice of a competent legal figure as each company is a separate entity that requires a customised assessment.
