Lawyer Vincenzo Colarocco
The General Data Protection Regulation (‘GDPR’) it’s gonna be applied starting from 25 May 2018 by giving to the companies and the data protection authorities a limited window to get ready for the new rules: the time available is less than sixty days.
As it is known, the GDPR is aimed at standardizing the national data protection laws by introducing a new set of data protection rules directly enforceable for all EU Member States. But the effect of the GDPR will not be limited to the European context: given its wide geographical scope, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Moreover the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Therefore, companies should appreciate -as soon as possible- how the GDPR will affect their business models and data processing practices.
In this regard, the main innovations introduced by the Regulation are:
- The “accountability”: the data controller has to demonstrate that he has adopted a comprehensive process of legal, administrative, technical measures for the protection of personal data collected, including the development of specific organizational models;
- Privacy Impact Assessment: obligation for each data controller to perform and document a risk assessment based from the treatments performed; on the basis of the results the data controller has to consider to carry out a possible prior consultation with the Authority;
- Privacy by design and privacy by default: it is required to adopt measures for pseudonymisation and minimization of data processing, with regard to access, the overall context in which the data processing takes place, risks for the rights and freedoms of data subjects;
- The Data Protection Officer (DPO): the Regulation introduces this figure who can be considered a data protection manager; the DPO is a figure of control, advice and support to the data controller and to the processor for the concrete application within the GDPR;
- Data breach notification: all data controllers (regardless of size and sector of intervention) have to notify the data breach to the Authority within 72 hours from the moment in which they became aware of the fact, or at the time in which the controller has made aware of it, without unjustified delay, after having carried out an assessment on the nature and seriousness of the violation of personal data and its consequences and negative effects for the subjects;
- The new rights: the controller must recognize and easily allow the exercise of the rights (access, portability, erasure, opposition, rectification) of the data subjects;
- Sanctions: the Regulation has significantly increased the penalties deriving from non-compliance with the EU law up to a maximum of 20 million euro or 4% of the total annual turnover in the previous year (if higher).
Therefore, it is clear that GDPR has application area that exceeds the boundaries of the UE: the deadline of 25 May is here and the extra-eu companies are also required to conform to the new legislation.
First and foremost, assess whether, as not-EU controller or processor, you will fall within the scope of the GDPR; after, determine where your main establishment might be located based on your data processing activities.