Following a process which lasted for almost 4 years, on 14 April the European Commission passed the new General Data Protection Regulation, more commonly known as GDPR.
The GDPR is the most recent step taken by the European Commission to control the way in which companies and organisations control and resell the private data and information of European citizens. Indeed, this regulation is closely linked to the activity of the large digital platforms which have taken charge of the digital market, using a wide range of tools which allow them to track user data in order to optimise the navigation experience. To this end, they systematically store information on the preferences of users, their etc.; processes which this regulation aims to make more transparent.
Moreover, privacy and neutrality on the web are issues which will be highly visible in the coming years as a topic of debate for users, companies and organisations alike.
Due to its implications, the GDPR requires companies and organisations to deal with its implementation in advance: only in this way will they be able to comply with its stipulations when the regulation comes into force on 28 May 2018.
The main aspects of the GDPR to be taken into account are:
– The GDPR covers all organisations which provide services or products to EU residents, whether or not these organisations have their headquarters in the EU and even when the services provided are free.
– The regulation will be directly applied to all EU countries, overcoming the differentiation of rules which occurred with the previous directive, which was transposed into the legislation of the different countries.
– The GDPR requires organisations to minimise the collection and storage of data, as well as to obtain the of consumers to process their data. Tacit consent is banned.
– The GDPR affords the owners of personal data the right to be forgotten and to request the exclusion of their data by organisations, including data which is published on the internet.
– The definition of personal data now includes data on electronic localisation and identification, customer addresses, purchase email addresses, IPs and employee information. There are now also definitions of ‘profiles’, ‘ ’, ‘genetic data’, ‘biometric data’, and ‘data relating to health’.
– The GDPR will cover the activity of companies and organisations, regardless of their size, direct responsibility for subcontractors. It is sufficient for the latter to collect and/or manipulate data on European citizens.
– It also takes into account the nature and purpose of the data. It states that both those controlling the data and those who process it will be required to implement organisational and technical measures guaranteeing the security of the data in terms of confidentiality, integrity, availability and resilience of the systems for storing it, as well as regular validation of these measures.
– In the case of a leak of personal data, the organisation must notify the DPA (Data Protection Authority) within 72 hours of detecting the violation (except when it is unlikely that it represents a risk for individual rights and freedoms) and obligatorily notify the individuals affected by the leak of the possibility of non-authorised access to their information.
– If they handle particular categories of personal data on a large scale or as part of their core business, the company or organisation must have a DPO (Data Protection Officer) on their Board.
– There are also special rules for minors: it is not possible for children under 16 to give their consent for the handling of their personal data by online services, and this must instead be authorised by their parents or guardians.
– Penalties for breaching the rules of the GDPR: up to €20.000.000 or 4% of annual sales volume.