discover our V.D.R.

News - GDPR. Data control and protection.

01 FEBRUARY 2018

GDPR. Data control and protection.

From legal requirement to competitive asset.

Baldo Meo (Italian Data Protection Authority spokesperson): “Companies, be careful to prepare for the new rules. A systemic approach is needed". On the state of adjustment of Italian companies to the legislation, is the assessment satisfactory or not?

The business world is aware of the impact that the EU regulation will have on the organization and on the procedures to be implemented and is proving to be prepared for the deadline of May 25th. This is especially true for companies that have worked well in the last 20 years, since when a specific regulation on data protection is in force in Italy, with respect to which the Regulation does not actually represent a revolution, but an evolution.

However, the Regulation should not be seen as a burden, but as an opportunity to review all the processing of personal data in light of the new technological contexts and the new protection needs expressed by users. The protection of personal data must not only represent a legal obligation for companies, but rather a strategic component, a competitive asset and a skill to be developed within the company organization.
Although the sanctions introduced by the Regulation are particularly robust, it cannot be the only aspect capable of absorbing all the companies’ concerns.

The new legislation imposes new levels organization and places different emphasis on system security, even in the case of outsourcing. The security of corporate information and the systems that store data is no longer an accessory element, but requires a systematic approach. The data security is already today, and is intended to become ever more, an essential prerequisite for the lawfulness of data processing and to ensure that data is always integral, accurate and updated.

There are several institutions in the regulation aimed at risk prevention and at ensuring the necessary guarantees for protecting the rights of the parties concerned and risk minimization associated with the operations that are carried out. A similar function also requires to notify data breaches from which risks may arise for the parties involved, to be carried out within 72 hours and in any case without undue delay.
The data controllers, i.e. companies and entities that process data in outsourcing, are required to collaborate with the company owners in defining the appropriate technical and organizational measures and must also respect a series of obligations that directly affect them and that are inspired by principles of accountability that apply to the company owners. How does the relationship between the Italian Data Protection Authority and companies change with the GDPR?

The Regulation has an approach based on risk prevention and on the responsibility of the data controllers, who must implement proactive behaviors and be able to demonstrate that they have concretely adopted measures aimed at applying the new discipline and protecting data.
The Authority's intervention will include the implementation of the rules, on the one hand, and increasing verification of compliance with these rules. The verification will carried out mainly in retrospect, therefore at a later stage compared to when data controllers take the necessary actions. The Regulation also aims to simplify the legal framework and rationalize administrative burdens, which the EU Commission estimates at 130 million euros of annual savings for European companies.