More than two years have passed since Regulation EU 679/2016, the General Data Protection Regulation (or GDPR for short), came into effect and organisations cannot ignore the importance of constantly adapting and updating their internal processes to ensure compliance with the requirements of the GDPR.
Central to the Regulation is the protection of the data subject, which obliges organisations to adapt both internally and towards the outside world. This is not merely a bureaucratic requirement, the presence of a Privacy Organisational Model that is fit for current and future challenges provides concrete proof to stakeholders and to the market of the organisation’s professional competence, commitment and quality. Compliance in the framework of personal data protection is a significant competitive advantage that allows any organisation that approaches and meets this challenge appropriately to stand out among its competitors, even in the most saturated of markets.
Although the Regulation does not alter the guidelines established by EC Directive 95/46 on the protection of personal data, it introduces important new features and clearer rules on information and consent, it defines restrictions on the automated processing of personal data, it lays the foundation for new rights to be exercised (the right to be forgotten and the right to data portability), it establishes strict criteria for the transfer of data outside the EU, and for the procedures in the event of a breach of personal data (data breach). Moreover, the concept of “accountability” is introduced as well as the figure of the Data Protection Officer (DPO).
Looking in more detail at the changes introduced by the GDPR, it is important to highlight that:
- The privacy policy makes the data subject aware of how personal data are collected and processed, it is one of the cornerstones of the GDPR. The need to duly notify data subjects highlights the key concept of transparency in the processing of personal data and the importance of making it possible for data subjects to exercise their rights. The privacy policy must be carefully drafted and kept up-to-date so organisations can go about their business while remaining fully compliant with the GDPR.
- The data subject’s consent must be obtained in advance and be unequivocal, even when it is granted by electronic means and, in the case of special categories of personal data (sometimes called sensitive data), consent must always be granted explicitly, since implied consent is not permitted under any circumstances.
- The risk of a Data Breach should never be taken lightly. In the event of a breach of personal data, the organisation has a series of obligations and it must be ready to respond quickly should a security incident occur: procedures to handle the breach are required, together with event reporting processes, to enable the organisation to communicate the occurrence of a personal data breach in a clear, simple and immediate manner to the Supervisory Authority for the protection of personal data and, if the data breach represents a threat to the rights and freedoms of individuals, the data subjects involved also need to be informed.
- The concept of accountability refers to the need for organisations to take responsibility for adopting approaches and policies that take the risk that processing personal data may entail for the rights and freedoms of data subjects into constant account, through compliance with the principles of “privacy by design” and “privacy by default”, in order to ensure data protection starting from the conception and design phase of a processing operation. All organisations must ensure they acts in compliance with the principles of minimisation, transparency, lawfulness, fairness, necessity, accuracy, relevance, storage limitation and adequate security of the processing operations, so as to reduce the risks associated with handling and processing personal data.
- The Data Protection Officer(DPO) is a new figure introduced with the GDPR, who is in charge of ensuring the correct, responsible management of data processing within organisations.