NEED MORE INFORMATION?
GDPR, THE NEW EUROPEAN GENERAL DATA PROTECTION REGULATION
On May 24, 2016 the new EU Data Protection Regulation entered into force, which will have to be implemented by May 2018: EU regulation 2016/679 GDPR (General Data Protection Regulation).
The GDPR Reform is a fundamental step for law in the digital age and for unified legislation, valid in all EU countries. Its implementation avoids the fragmentation of administrative costs and expenses (a saving of 2.3 billion euros a year is estimated) and facilitates the activity of the police, justice and authorities in protecting citizens in the event of criminal violations . It is a precious attempt to harmonize the privacy rules of the various States and is aimed at developing the digital single market through the creation and promotion of new services, applications, platforms and software.
The new European regulation on privacy impacts on the corporate systems and procedures currently used by companies. The suggestion is therefore to start making the Gap Analysis with respect to the new requirements on corporate information systems and privacy procedures right away.
The GAP Analysis
The first step, as well as the most important one, is to define the treatment register and the adjustment plan to the GDPR. This phase foresees the assessment of the organization's current model, in order to define an action plan that is appropriately detailed and dropped on the company reality.
Given the extent of the impact perimeter of the GDPR at company level, mapping the current model and identifying the gaps in a comprehensive way, in relation to the requirements of the Regulation, requires a structured and comprehensive approach to all the levers on which it is possible to act in relation to the adjustment target, such as:
- Organization and roles
- People, culture and skills
- Processes and rules
- Technology and tools
- Control system
A new figure is born: the DPO, Data Protection Officer
The Data Protection Officer (DPO) is the reference figure introduced by the GDPR.
The DPO, a figure historically already present in some European legislation, is a professional who must have a corporate role (whether internal or external) with legal, IT, risk management and process analysis skills. Its main responsibility is to observe, evaluate and organize the management of data processing (and therefore their protection) within a company (both public and private), so that these are treated in compliance with European privacy regulations and national. It is clear how the introduction of this figure serves not only to move from one subject (owner / manager of the treatment) to another (the DPO) a whole series of responsibilities in the field of data protection, but also and above all to allow to a specific subject, specialized, expert in the field of dealing exclusively with data protection, always being up to date on the risks, problems and security measures necessary to ensure a relevant level of protection.
Administrative fines may, depending on the infringed provision of the GDPR,
amount to a maximum of EUR 20 million, or, if this is a higher amount, 4% of the total worldwide annual turnover of an organisation. Such fines may be imposed on both the controller and the processor.
GDPR: concerns and benefits
The GDPR brings with it some legitimate concerns, linked to the sanctions provided for by the regulation, to the negative impacts on the image of the company in case of compromise, and to the costs for compliance with the law. At the same time, however, it brings a long list of concrete benefits, starting from the greater security of the data managed by the company, combating illegal information traffic, streamlining business processes, stimulating investors and partners, improving the corporate image and bringing benefits to the protection of other company information such as intellectual property.
TT Tecnosistemi services
The services offered by TT Tecnosistemi within the GDPR consist in supporting companies in the process of compliance with the GDPR regulations.
The following is a methodological model defined for an assessment and subsequent adaptation to the GDPR.
The concepts are applicable to any type of company simply by adequately dimensioning the activities and the related level of detail. The model has 10 phases:
- A pre-assessment document on the documentation available in the privacy field provided by the customer
- Selection of the scoped processes and definition of the intervention perimeter
- A detailed assessment based on interviews and on-site analysis to complete and integrate the preassessment
- Definition of As-Is and To-Be (in accordance with Legislative Decree 196/03 and GDPR and in line with the real needs encountered)
- Development of a Gap Analysis and a possible DPIA
- Definition of the necessary and possible actions and development of an intervention plan
- Selection of any support SWs
- Implementation of the decided solution (documentation, procedures, protection measures and possible SW)
- Change Management & Training
- Support and update of the solution and staff