10 things to know about GDPR

Personal data is information relating to the user: an e-mail address, a profile photo, the social security number or a telephone contact, the connection IP address, the vehicle registration number, etc.
Please note: data referable to legal persons, i.e. companies, organizations and associations, are not considered personal data.

The new legislation will come into force on 25 May 2018.
The main innovations can be summarized in these points:

The new legislation requires the definition of all subjects who come into contact with personal data and introduces new figures.

It remains the data controller or the subject (both natural and legal person) who decides in total autonomy the purposes and methods of the processing such as collection, registration, communication or dissemination.

The first novelty is the role of data controller, which is not necessarily present, but if appointed, it is done with a written deed by the data controller. Its main task is to monitor compliance with the rules decided in the company regarding personal data.

In all this confusion you will have wondered what needs to be done.
Each company, based on its business, the nature of the data it comes into possession of, has different obligations.
However, there is a common to-do-list which consists of a few simple steps:

The central point is that the information must be clear and complete.
The Guarantor speaks expressly in a colloquial tone or you will need to be able to explain in a simple and effective way:

a) purposes and methods of processing;
b) any obligation to provide data to use certain services;
c) to whom the data may be communicated or disseminated;
d) retention period;
e) rights of the interested party including the right of modification, revocation, cancellation and complaint;
f) methods of data transfer to a third country;
g) policy on the personal data of minors;
h) identification and contacts of the owner, manager (if present) and DPO (if present);

In order for the processing of data to be considered legitimate, an "informed" consent must be requested from the interested party for the use of the data, differentiating the consent between necessary and additional data.
For example, the use of personal data for marketing purposes cannot be made mandatory.

However, there are cases in which consent is not required, namely:

a) when the processing is required by a legal obligation, by a regulation or by community legislation.
b) when it comes to data necessary for the execution of an existing contract, for example data for the invoicing of a product or service.
c) in the case of personal data coming from public registers, lists, deeds or documents that can be known by anyone.

Companies are also relieved of the obligation of consent for promotional and marketing activities aimed at their customers such as for promotional communications concerning products and services already purchased or similar products.

Sensitive data requires a higher level of protection.
In order to use them, the company must therefore first obtain the written consent of the person and the authorization of the Guarantor.

Also in the personnel selection process there is an activity of processing personal data of candidates. The company that receives the CVs sent spontaneously has no obligation to offer the information or to ask for consent. Only when the company takes into consideration the curriculum and decides to contact the candidate, will it have to provide (also verbally) a brief information.
If, on the other hand, it is the company that initiates a selection, it is necessary that before acquiring the CV the information on the processing of data is available and it is expressly accepted in the event that the curriculum contains sensitive data (for example belonging to a protected category ) or the application is shared with third parties.

The company must implement as many security measures as possible to minimize the risk of destruction or loss of data, unauthorized access or processing that is not permitted or does not comply with the purposes of the collection, even if it is accidental.

If the data is stored in paper format, it may be sufficient to provide a lock with a lock to the cabinet or room.
If, on the other hand, they are in digital format, the measures must be appropriate to the risk.

The minimum security measures envisaged are:

a) verify the identity of the person accessing the system (for example with username and password);
b) adopt tools that prevent illegal or abusive access (such as antivirus, firewall);
c) make backup copies to restore any stolen or corrupted data as soon as possible;
d) provide for sensitive data to be encrypted;
e) train the personnel involved in data processing;

We recommend that you provide log systems and access traceability to identify any perpetrators of such violations.

Community legislation provides that personal data can circulate freely within the European Union.
To transfer data outside the European Union, on the other hand, protection standards adequate to European ones must be guaranteed.
The list of third countries deemed reliable with which no measures will be necessary in case of data export will be available on the website of the Guarantor.

The legislation introduces specific rights for each user whose personal data is held. Everyone may request to know what data the company has, why they were collected and how they are processed.

In addition, the new legislation introduces for the first time the concept of expiration or the right to be forgotten.
The basic idea is that personal data should only be kept for a time considered reasonable.
It therefore means that, when personal information is no longer necessary for the purpose for which it was collected, it must be removed or made anonymous.

The new legislation establishes the obligation to notify the Guarantor for any violation (better known as data breach) and, in the most serious cases, also includes a communication to the interested parties of the problem encountered, to allow them to take measures that limit the possible prejudices to the person (for example, identity theft or damage to reputation).

The company may decide not to inform the interested parties if it deems that the violation does not involve a high risk or if it demonstrates that it has already adopted security measures; or in the event that informing the interested parties could involve an effort disproportionate to the risk. In this last case it is necessary to provide with a public communication.

The following sanctions can be imposed by the Guarantor:

* a written warning in cases of unintentional first non-compliance.
* regular and periodic checks on data protection
* a fine of up to 10 million euros, or up to 2% of the overall turnover recorded in the previous year in the cases provided for in Article 83, Paragraph 4 or up to 20 million euros or up to 4% of the volume business in the cases provided for in Paragraphs 5 and 6.

The fines are divided into two brackets: up to a maximum of 10 million euros or, for companies, 2% of turnover (whichever is higher); or up to a maximum of 20 million or 4% of turnover, again for companies and always in relation to turnover.

The "lightest" fine (10 million or 2% turnover) is imposed for the transgression of principles such as privacy by design (lack of data protection by design) or the lack of suitable measures to guarantee a good standard of security. The heaviest one (20 million or 4% of turnover) occurs in the event of a violation of fundamental principles, such as denial of the right to be forgotten or opacity in the request for data consent.